Help again!!!!

albertross_2

Christie,

As you said, 2 heads are always better than one, thanks for the backup..night

itsbeef - I'll be on for a bit longer if you are still up

albertross_2

Its....

At some point, when the dust has settled, try doing a full service scan from here:

http://safety.live.com/site/en-US/article/faq.htm#FAQ1

It should do a check on the state of your PC (patches/viruses/open ports etc)..

and if you don't have it already, try microsoft anti-spyware beta

all assuming you have a legitimate XP license..

albertross_2

Haven't been able to find much about dumador-G, partly because every a/v vendor has a diff name, but this family of trojans looks nasty..

When your PC is clean, (at least 2 independant A/V scans) I suggest you check that your host file hasn't been amended, with any 127.0.0.1 entries, open this file in notepad to check c:\windows\System32\drivers\etc\hosts

If you use any internet banking, or buy stuff on the web, change your passwords, and check your bank accounts..

It was detected by avast from 1/7/05

There seems to be a lot of keylogging aspects to this family, so it is better to be safe than sorry.


Do any of these look familiar..

http://www.viruslist.com/en/viruses/encyclopedia?virusid=43837

http://www.sophos.com/virusinfo/analyses/trojdumarug.html

http://www.sophos.com/search/search-results/?search=dumador&x=63&y=17

http://vil.nai.com/vil/content/print100560.htm

http://vil.nai.com/vil/content/print100580.htm

http://www.f-secure.com/v-descs/dumaru_b.shtml

http://www.sophos.com/virusinfo/analyses/trojdumarug.html

http://www.virusbuster.hu/en/viruslab/descriptions/dumaru.g

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.m.html

itsbeef

Guys....thanks again for all your work last night!!! :beer:

I have uninstalled Prevx1 this morning and the laptop has quickened up a lot. Still getting a lot of stuff being picked up by Avast but running Windows Live Safety Scan now so touch wood it should help!

Nominating you guys for an award on MSE so watch out!!!!

:j :beer:

itsbeef

Just as a follow up guys.......

the scans have identified the following as being present and cant seem to delete it?

C:\WINDOWS\DVPD.DLL\[UPX]

Also

DCOM EXPLOIT
and
LSASS EXPLOIT (SXP)

Toxteth_OGrady

Good description here

It's part of the Dumador trojan you identifed yesterday. It's quite nasty because it includes an IE keylogger. That may explain why your IE was using so much CPU resource.

Again if your current AV hasn't shifted it try the online scanners in my sticky at the top of the Techie board.

Can you copy/paste a copy of your Hosts file here and we can see if it's been infected. Browse to C:/Windows/System32/Drivers/etc.

I know you didn't take too kindly to my suggestion yesterday to format but my recommendation was partly based on the ongoing risk to you. You have spent many, many hours online trying to sort this one out which may not be particularly wise if you have a keylogger infection. Hopefully you don't.

HTH

:cool:

TOG

Toxteth_OGrady

p.s. do you mind also following up on one of my earlier suggestions yesterday before I became persona non grata to run Netstat and see which ports you have open as a result of this infection.

:cool:

TOG

itsbeef

Where do i get that info from? ie copy/paste a copy of your Hosts file ??

itsbeef

will run Netstat now mate!

Toxteth_OGrady

Browse to this folder Browse to C:/Windows/System32/Drivers/etc. and you will see a file in their called hosts.

Right-click on it and select open with Notepad. You should then be able to highlight all the text with your mouse, right-click, select copy and then paste into your posting reply on here.

:cool:

TOG