Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] My Back Up drive infected With Trojan

Started by PwnUrAss , Oct 28 2009 08:15 PM

  • This topic is locked This topic is locked
2 replies to this topic

#1 PwnUrAss

PwnUrAss

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 28 October 2009 - 08:15 PM

Windows Defender Caught it and it Was Trojan Downloader so i deleted it but it was too late soo i backed-up my pictures, songs, videos, etc and reformatted this is the 4th time reformatting in a week my internet Has exceeded the bandwidth and isn't renewing till 7th of November soo can't download any big anti-virus, i have Malwarebytes' Anti-Malware but not the latest (updating right now) the Trojan adds porntube.com.ink, nudetube.com.ink, and youporn.com.lnk and after few minuates it stops cmd.exe and then regedit and then firefox and the rundll32 and then report solution and then explorer.exe and then winlogon and till there is nothing BTW rundll32 stopped like and hour ago, and i formatted like 2 hours ago, when i went to my back-up drive the 3 porn sites went to my desktop i am going mad and have no clue on how to stop the infection from going to my back-up drive soo please if anyone has a way of protecting the the back-up drive sorry if i am asking too much but i am tired of this, Bootrepal isn't working can't get the logs sorry DDS (Ver_09-06-26.01) - NTFSx86 Run by õPwnUrAssõ at 12:54:27.61 on Thu 29/10/2009 Internet Explorer: 7.0.6000.16575 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.61.1033.18.2037.778 [GMT 11:00] SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\RtHDVCpl.exe C:\hp\support\hpsysdrv.exe C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe C:\WINDOWS\System32\igfxpers.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Internet Download Manager\IDMan.exe C:\Windows\system32\schtasks.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Internet Download Manager\IEMonitor.exe c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe C:\hp\kbd\kbd.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Windows Live\installer\WLSetupSvc.exe C:\Windows\system32\taskeng.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchProtocolHost.exe C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe C:\Program Files\XoftSpySE6\XoftSpySE.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\§PwnUrAss§\Desktop\dds.scr ============== Pseudo HJT Report =============== mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Pavilion&pf=desktop mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Pavilion&pf=desktop BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe mRun: [KBD] c:\hp\kbd\KbdStub.EXE mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe" mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [<NO NAME>] mRun: [XoftSpySE] "c:\program files\xoftspyse6\XoftSpySE.exe" -NM -hidesplash mRunOnce: [PCDrProfiler] c:\program files\pc-doctor 5 for windows\RunProfiler.exe -r mRunOnce: [isDeleteMe] "c:\windows\system32\cmd.exe" /c "c:\users\pwnura~1\appdata\local\temp\isDel.bat" mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm IE: Download with IDM - c:\program files\internet download manager\IEExt.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab Notify: igfxcui - igfxdev.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\pwnura~1\appdata\roaming\mozilla\firefox\profiles\wuqk8bl5.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT690666&SearchSource=3&q= FF - prefs.js: browser.startup.homepage - FF - component: c:\users\§pwnurass§\appdata\roaming\idm\idmmzcc3\components\idmmzcc.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-10-29 38496] R3 XoftSpyService;XoftSpyService;c:\program files\common files\xoftspyse\6\xoftspyservice.exe [2009-8-29 582424] =============== Created Last 30 ================ 2009-10-29 12:17 <DIR> --d----- c:\programdata\ParetoLogic 2009-10-29 12:17 <DIR> --d----- c:\progra~2\ParetoLogic 2009-10-29 12:17 <DIR> --d----- c:\program files\common files\ParetoLogic 2009-10-29 12:17 <DIR> --d----- c:\program files\common files\XoftSpySE 2009-10-29 12:17 <DIR> --d----- c:\programdata\XoftSpySE 2009-10-29 12:17 <DIR> --d----- c:\progra~2\XoftSpySE 2009-10-29 12:17 <DIR> --d----- c:\program files\XoftSpySE6 2009-10-29 11:57 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\Malwarebytes 2009-10-29 11:57 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-10-29 11:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-29 11:57 <DIR> --d----- c:\programdata\Malwarebytes 2009-10-29 11:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-29 11:57 <DIR> --d----- c:\progra~2\Malwarebytes 2009-10-29 11:56 <DIR> --d----- c:\program files\7 Wonders II 2009-10-29 11:56 0 a------- c:\windows\SC.INS 2009-10-29 11:56 0 a------- c:\windows\sc.exe 2009-10-29 11:49 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\COWON 2009-10-29 11:38 <DIR> --d----- c:\program files\JetAudio 2009-10-29 11:38 <DIR> --d----- c:\program files\common files\COWON 2009-10-29 11:15 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller 2009-10-29 11:13 <DIR> --d----- c:\programdata\WLInstaller 2009-10-29 11:01 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\IDM 2009-10-29 11:01 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\DMCache 2009-10-29 11:01 <DIR> --d----- c:\program files\Internet Download Manager 2009-10-29 10:32 <DIR> --d----- c:\users\pwnura~1\appdata\roaming\Symantec 2009-10-29 10:31 <DIR> --d--r-- c:\users\§pwnurass§\Searches 2009-10-29 10:31 <DIR> --d--r-- c:\users\§pwnurass§\Contacts 2009-10-29 10:31 44 a------- c:\windows\system\hpsysdrv.dat 2009-10-29 10:31 2,421,760 a------- c:\windows\system32\wucltux.dll 2009-10-29 10:30 171,608 a------- c:\windows\system32\wuwebv.dll 2009-10-29 10:30 53,760 a------- c:\windows\system32\wuapp.exe 2009-10-29 10:29 1,798 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_KJ324AA-ABG a6430a_YC_0Pavi_QCNX817_E82APv3PrA1_49_IBoston_SMSI_V1.0_B5.05_T080321_WUH0_L409 _M2037_J360_7Intel_8Pentium Dual E2200_92.2_#080810_N10EC8136_Z10573052_G808629C2.MRK 2009-10-29 10:28 1,048,576 a--sh--- c:\users\§pwnurass§\NTUSER.DAT 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Templates 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Start Menu 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\SendTo 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Recent 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\PrintHood 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\NetHood 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\My Documents 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Local Settings 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Cookies 2009-10-29 10:28 <DIR> --dsh--- c:\users\§pwnurass§\Application Data 2009-10-29 10:28 <DIR> --d-h--- c:\users\§pwnurass§\AppData 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Videos 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Saved Games 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Pictures 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Music 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Links 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Favorites 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Downloads 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Documents 2009-10-29 10:28 <DIR> --d--r-- c:\users\§pwnurass§\Desktop 2009-10-29 10:28 <DIR> --d----- c:\users\§PwnUrAss§ 2009-10-29 10:24 <DIR> --dsh--- c:\programdata\Documents 2009-10-29 10:24 <DIR> --dsh--- C:\Documents and Settings ==================== Find3M ==================== 2009-10-29 11:25 51,200 a------- c:\windows\inf\infpub.dat 2009-10-29 11:25 86,016 a------- c:\windows\inf\infstrng.dat 2009-10-29 11:24 86,016 a------- c:\windows\inf\infstor.dat 2008-02-18 06:45 665,600 a------- c:\windows\inf\drvindex.dat 2008-02-18 06:27 174 a--sh--- c:\program files\desktop.ini 2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2009-05-25 17:02 22 a--sh--- c:\windows\sminst\HPCD.SYS 2008-02-18 06:18 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT ============= FINISH: 12:54:49.56 ===============

Attached Files


    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 31 October 2009 - 05:25 PM

Posted Image

It sounds like you backed up and reinstalled the infection.

The first thing we need to do it stop the autoloading of you external devices.

Vista users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Download this file
http://download.blee...Disinfector.exe

For all of your USB or external drives:

Now run the Flash_Disinfector.exe.

Be sure to insert any flash drives or USB devices that you use.

Do this for every USB / external drives:

Next:

Run MBAM and select Full Scan.
Scan all your drives and post the results.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 11 November 2009 - 06:56 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·