PDA

View Full Version : Help in removing whatever I may have!



smumdax
2010-10-25, 23:18
Hello. I don't know where to start, so I'll simply post here my DDS log and will wait for any help you guys can give me.


DDS (Ver_10-10-21.02) - NTFSx86 MINIMAL
Run by Smumdax at 16:01:21,60 on 2010-10-25
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1265 [GMT -4:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Documents and Settings\Smumdax\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = about:blank
uSearch Bar =
mSearchAssistant =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: {A057A204-BACC-4D26-8287-79A187E26987} - No File
EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\smumdax\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\smumdax\startm~1\programs\startup\outloo~1.lnk - c:\program files\outlook express\msimn.exe
StartupFolder: c:\docume~1\smumdax\startm~1\programs\startup\winamp.lnk - c:\program files\winamp\winamp.exe
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtuspmK
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2009-2-12 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2009-2-12 5248]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-11 532224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-6 136176]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 B-Service;B-Service;c:\documents and settings\smumdax\application data\mikogo\B-Service.exe [2010-4-28 185640]
S3 Dmdptsaad6iw;Dmdptsaad6iw;c:\windows\system32\cmd.exe [2004-8-3 389120]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe --> c:\program files\magix\common\database\bin\fbserver.exe [?]
S3 sysdrv32;Host Port I/O Driver;\??\c:\windows\system32\drivers\sysdrv32.sys --> c:\windows\system32\drivers\sysdrv32.sys [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]
S4 Dmigsttor;Dmigsttor; [x]
S4 WinHost32Svr;Windows Host32 Server Service;"c:\windows\security\svchost.exe" --> c:\windows\security\svchost.exe [?]

=============== Created Last 30 ================

2010-10-24 14:35:24 -------- d-----w- c:\program files\win
2010-10-21 02:45:44 -------- d-----w- c:\docume~1\smumdax\applic~1\DVDFab
2010-10-21 02:37:07 -------- d-----w- c:\program files\DVDFab 5
2010-10-09 15:57:43 -------- d-----w- c:\program files\Virtual Dub Mod 1.5.10
2010-10-06 02:49:25 303104 ----a-w- c:\windows\emunist.exe
2010-10-06 02:49:21 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-10-06 02:49:21 15232 ----a-w- c:\windows\system32\drivers\MPE.sys
2010-10-06 02:48:55 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2010-10-06 02:48:55 363520 ----a-w- c:\windows\system32\PsisDecd.dll
2010-10-06 02:48:54 56832 ----a-w- c:\windows\system32\MSDvbNP.ax
2010-10-06 02:48:54 33280 ----a-w- c:\windows\system32\PsisRndr.ax
2010-10-06 02:48:54 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2010-10-06 02:48:54 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
2010-10-06 02:48:52 18432 ----a-w- c:\windows\system32\BdaPlgIn.ax
2010-10-06 02:48:51 106496 ----a-w- c:\windows\system32\emPRP.ax
2010-10-06 02:48:42 -------- d-----w- c:\program files\Roxio
2010-09-30 17:36:17 -------- d-----w- c:\docume~1\smumdax\applic~1\com.nationalgeographic.products.cng120.68B1CC4249876152EBE333BD4B7514ADB4D94062.1
2010-09-30 17:34:45 -------- d-----w- c:\documents and settings\smumdax\natgeo_temp

==================== Find3M ====================

2010-10-24 14:29:50 12622 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-12 05:21:29 73 ----a-w- c:\windows\system32\ssprs.dll
2010-10-12 05:21:29 205 ----a-w- c:\windows\system32\lsprst7.dll

============= FINISH: 16:05:34,39 ===============

shelf life
2010-11-01, 22:48
Hi smumdax,

Your post is a few days old. If you still need help post back. You should not use this machine if it hasnt been cleaned up yet. Power it off so there is no connectivity.

smumdax
2010-11-01, 23:19
I didn't post anything because I was waiting for an answer... it was said that if I post, I will be ignored because helpers are watching the no-reply posts first...

Anyways, yes I would like some help... it's just kinda late (what, a full week of waiting ?!?), so ordered a new computer, I'm a webmaster, so even a couple days without a computer is very hard... :(

Can you tell me what's wrong just by looking at the log I've published?

shelf life
2010-11-01, 23:54
You did it right, one post then wait for a reply. Sometimes it can take a while to get a reply. Based on your log I can tell that it looks like you have a trojan with backdoor functionality.
So you have a new machine now? I cant be without one for a few hours myself.

smumdax
2010-11-01, 23:58
Actually I'm still waiting for my new machine... I'm using my gf's laptop now and then, but I'm very very late on many work because of this situation...

From what can you see the trojan ?

shelf life
2010-11-02, 01:06
From what can you see the trojan ?

Windows Host32 Server Service
sysdrv32;
[ShowDeskFix] regsvr32 /s /n /i:u shell32
c:\windows\system32\awtuspmK

I dont see a resident Antivirus app in the list, a necessity in Windows.
If you want to clean up the machine we can proceed.