Jump to content

Fokner

Members
 View Profile  See their activity

  • Posts

    5

  • Joined

  • Last visited

 Content Type 

Posts posted by Fokner

    Infected with trojan(s)

    in Resolved Malware Removal Logs

    Posted

    I just ran Combofix, but while it was running , i started getting some error windows. One of those windows was titled "hidec.exe", and the error was:

    "The instruction...0x00010067 referenced...0x0027e368. The memory could not be "written".

    Click OK to terminate the program"

    I clicked OK, and 3-4 almost similar windows followed. I clicked OK in all of them.

    Infected with trojan(s)

    in Resolved Malware Removal Logs

    Posted

    Hi

    I have done all the scans as recommended on http://www.malwarebytes.org/forums/index.php?showtopic=9573, and here are the logs from Malwarebytes and Hijackthis

    Thanks,

    Forgot to post the hijackthis log...

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 12:00:49 PM, on 8/2/2009

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.6000.16876)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Windows Defender\MsMpEng.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    C:\Program Files\Bonjour\mDNSResponder.exe

    C:\Program Files\Java\jre6\bin\jqs.exe

    C:\Program Files\McAfee\Common Framework\FrameworkService.exe

    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

    C:\Program Files\CDBurnerXP\NMSAccessU.exe

    C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\stsystra.exe

    C:\Program Files\Dell\Dell Mobile Broadband\systray.exe

    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

    C:\Program Files\McAfee\Common Framework\UdaterUI.exe

    C:\Program Files\Windows Defender\MSASCui.exe

    C:\Program Files\Print Manager Plus - Client\CheckPages.exe

    C:\Program Files\DellTPad\Apoint.exe

    C:\Program Files\McAfee\Common Framework\McTray.exe

    C:\Program Files\DellTPad\ApMsgFwd.exe

    C:\Program Files\Dell\QuickSet\Quickset.exe

    C:\Program Files\Java\jre6\bin\jusched.exe

    C:\Program Files\DellTPad\Apntex.exe

    C:\WINDOWS\system32\hkcmd.exe

    C:\Program Files\DellTPad\HidFind.exe

    C:\WINDOWS\system32\igfxsrvc.exe

    C:\WINDOWS\system32\igfxpers.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Privoxy\privoxy.exe

    C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\Program Files\Mozilla Firefox\firefox.exe

    C:\PROGRA~1\FREEDO~1\fdm.exe

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isaserver6:8080

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

    O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe

    O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

    O4 - HKLM\..\Run: [PrintManagerPlusClient] "C:\Program Files\Print Manager Plus - Client\CheckPages.exe"

    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

    O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

    O4 - Startup: Evernote.lnk = C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

    O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe

    O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000

    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.rit.edu/lib...s/ebraryRdr.cab

    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AUK.local

    O17 - HKLM\Software\..\Telephony: DomainName = AUK.local

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AUK.local

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AUK.local

    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = AUK.local

    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

    O20 - Winlogon Notify: rbadzm - C:\WINDOWS\SYSTEM32\rbadzm.dll

    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

    O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

    O24 - Desktop Component 0: (no name) - http://www.netvibes.com/

    --

    End of file - 7925 bytes

    Same trojans over and over

    in Malwarebytes for Windows Support Forum

    Posted

    I've done three scans with Malwarebytes today as i was having some problems. The first scan found 7 threads, the second one found 1 thread , and the third one found the same threads the first scan found (even though i quarantined them in the first time)!

    Is there a way to remove them completely?

    mbam_log_2009_08_01__23_13_45_.txt

    mbam_log_2009_08_01__23_32_42_.txt

    mbam_log_2009_08_01__23_58_59_.txt

    mbam_log_2009_08_01__23_13_45_.txt

    mbam_log_2009_08_01__23_32_42_.txt

    mbam_log_2009_08_01__23_58_59_.txt

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.