 [Closed] My Back Up drive infected With Trojan, Windows Defender Caught it and it Was Trojan Downloader.......... |
Welcome! Register for a free account (or login) > How does it work?
|
|
 Oct 28 2009, 08:15 PM
Post
#1
|
|
|
New Member  Group: New Member Posts: 1 Joined: 28-October 09 Member No.: 88,570 Operating System: Windows Vista  |
Windows Defender Caught it and it Was Trojan Downloader so i deleted it but it was too late soo i backed-up my pictures, songs, videos, etc and reformatted this is the 4th time reformatting in a week my internet Has exceeded the bandwidth and isn't renewing till 7th of November soo can't download any big anti-virus, i have Malwarebytes' Anti-Malware but not the latest (updating right now)
the Trojan adds porntube.com.ink, nudetube.com.ink, and youporn.com.lnk and after few minuates it stops cmd.exe and then regedit and then firefox and the rundll32 and then report solution and then explorer.exe and then winlogon and till there is nothing BTW rundll32 stopped like and hour ago, and i formatted like 2 hours ago, when i went to my back-up drive the 3 porn sites went to my desktop i am going mad and have no clue on how to stop the infection from going to my back-up drive soo please if anyone has a way of protecting the the back-up drive sorry if i am asking too much but i am tired of this, Bootrepal isn't working can't get the logs sorry DDS (Ver_09-06-26.01) - NTFSx86 Run by õPwnUrAssõ at 12:54:27.61 on Thu 29/10/2009 Internet Explorer: 7.0.6000.16575 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.61.1033.18.2037.778 [GMT 11:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\RtHDVCpl.exe C:\hp\support\hpsysdrv.exe C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe C:\WINDOWS\System32\igfxpers.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Internet Download Manager\IDMan.exe C:\Windows\system32\schtasks.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Internet Download Manager\IEMonitor.exe c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe C:\hp\kbd\kbd.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Windows Live\installer\WLSetupSvc.exe C:\Windows\system32\taskeng.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchProtocolHost.exe C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe C:\Program Files\XoftSpySE6\XoftSpySE.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\§PwnUrAss§\Desktop\dds.scr ============== Pseudo HJT Report =============== mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Pavilion&pf=desktop mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Pavilion&pf=desktop BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe mRun: [KBD] c:\hp\kbd\KbdStub.EXE mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe" mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [<NO NAME>] mRun: [XoftSpySE] "c:\program files\xoftspyse6\XoftSpySE.exe" -NM -hidesplash mRunOnce: [PCDrProfiler] c:\program files\pc-doctor 5 for windows\RunProfiler.exe -r mRunOnce: [isDeleteMe] "c:\windows\system32\cmd.exe" /c "c:\users\pwnura~1\appdata\local\temp\isDel.bat" mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm IE: Download with IDM - c:\program files\internet download manager\IEExt.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab Notify: igfxcui - igfxdev.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\pwnura~1\appdata\roaming\mozilla\firefox\profiles\wuqk8bl5.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT690666&SearchSource=3&q= FF - prefs.js: browser.startup.homepage - FF - component: c:\users\§pwnurass§\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-10-29 38496] R3 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-8-29 582424] =============== Created Last 30 ================ 2009-10-29 12:17 <DIR> --d----- c:\programdata\ParetoLogic 2009-10-29 12:17 <DIR> --d----- c:\progra~2\ParetoLogic 2009-10-29 12:17 <DIR> --d----- c:\program files\common files\ParetoLogic 2009-10-29 12:17 <DIR> --d----- c:\program files\common files\XoftSpySE 2009-10-29 12:17 <DIR> --d----- c:\programdata\XoftSpySE 2009-10-29 12:17 <DIR> --d----- c:\progra~2\XoftSpySE 2009-10-29 12:17 <DIR> --d----- c:\program files\XoftSpySE6 2009-10-29 11:57 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\Malwarebytes 2009-10-29 11:57 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-10-29 11:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-29 11:57 <DIR> --d----- c:\programdata\Malwarebytes 2009-10-29 11:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-29 11:57 <DIR> --d----- c:\progra~2\Malwarebytes 2009-10-29 11:56 <DIR> --d----- c:\program files\7 Wonders II 2009-10-29 11:56 0 a------- c:\windows\SC.INS 2009-10-29 11:56 0 a------- c:\windows\sc.exe 2009-10-29 11:49 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\COWON 2009-10-29 11:38 <DIR> --d----- c:\program files\JetAudio 2009-10-29 11:38 <DIR> --d----- c:\program files\common files\COWON 2009-10-29 11:15 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller 2009-10-29 11:13 <DIR> --d----- c:\programdata\WLInstaller 2009-10-29 11:01 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\IDM 2009-10-29 11:01 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\DMCache 2009-10-29 11:01 <DIR> --d----- c:\program files\Internet Download Manager 2009-10-29 10:32 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\Symantec 2009-10-29 10:31 <DIR> --d--r-- c:\users\§pwnurass§\Searches 2009-10-29 10:31 <DIR> --d--r-- c:\users\§pwnurass§\Contacts 2009-10-29 10:31 44 a------- c:\windows\system\hpsysdrv.dat 2009-10-29 10:31 2,421,760 a------- c:\windows\system32\wucltux.dll 2009-10-29 10:30 171,608 a------- c:\windows\system32\wuwebv.dll 2009-10-29 10:30 53,760 a------- c:\windows\system32\wuapp.exe 2009-10-29 10:29 1,798 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_KJ324AA-ABG a6430a_YC_0Pavi_QCNX817_E82APv3PrA1_49_IBoston_SMSI_V1.0_B5.05_T080321_WUH0_L409 _M2037_J360_7Intel_8Pentium Dual E2200_92.2_#080810_N10EC8136_Z10573052_G808629C2.MRK 2009-10-29 10:28 1,048,576 a--sh--- c:\users\§pwnurass§\NTUSER.DAT 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Templates 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Start Menu 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\SendTo 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Recent 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\PrintHood 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\NetHood 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\My Documents 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Local Settings 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Cookies 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Application Data 2009-10-29 10:28 <DIR> --d-h--- c:\users\§pwnurass§\AppData 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Videos 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Saved Games 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Pictures 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Music 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Links 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Favorites 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Downloads 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Documents 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Desktop 2009-10-29 10:28 <DIR> --d----- c:\users\§PwnUrAss§ 2009-10-29 10:24 <DIR> --dsh--- c:\programdata\Documents 2009-10-29 10:24 <DIR> --dsh--- C:\Documents and Settings ==================== Find3M ==================== 2009-10-29 11:25 51,200 a------- c:\windows\inf\infpub.dat 2009-10-29 11:25 86,016 a------- c:\windows\inf\infstrng.dat 2009-10-29 11:24 86,016 a------- c:\windows\inf\infstor.dat 2008-02-18 06:45 665,600 a------- c:\windows\inf\drvindex.dat 2008-02-18 06:27 174 a--sh--- c:\program files\desktop.ini 2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2009-05-25 17:02 22 a--sh--- c:\windows\sminst\HPCD.SYS 2008-02-18 06:18 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT ============= FINISH: 12:54:49.56 ===============
Attached File(s)
|
 |
 
|
Posts in this topic
PwnUrAss [Closed] My Back Up drive infected With Trojan Oct 28 2009, 08:15 PM
LDTate It sounds like you backed up and reinstalled the i... Oct 31 2009, 05:25 PM
LDTate Due to inactivity this topic will be closed.
If yo... Nov 11 2009, 06:56 PM |
Similar Topics
| Topic Title | Replies | Topic Starter | Views | Last Action | |||
|---|---|---|---|---|---|---|---|
 |
1 | pacificjade | 26 | 19 minutes ago Last post by: LDTate |
|||
 |
16 | JoHawk | 255 | 34 minutes ago Last post by: schrauber |
|||
|
2 | ArtemusGordon | 56 | Today, 09:41 AM Last post by: LDTate |
|||
|
5 | livewiredrinker | 71 | Today, 09:23 AM Last post by: SweetTech |
|||
|
Time is now: 16th March 2010 - 01:24 PM |
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
