Jump to content

Infected with trojan(s)


Recommended Posts

Hi

I have done all the scans as recommended on http://www.malwarebytes.org/forums/index.php?showtopic=9573, and here are the logs from Malwarebytes and Hijackthis

Thanks,

Forgot to post the hijackthis log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:00:49 PM, on 8/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Dell\Dell Mobile Broadband\systray.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Print Manager Plus - Client\CheckPages.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\DellTPad\Apntex.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Privoxy\privoxy.exe

C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\FREEDO~1\fdm.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isaserver6:8080

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [PrintManagerPlusClient] "C:\Program Files\Print Manager Plus - Client\CheckPages.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Startup: Evernote.lnk = C:\Program Files\Evernote\Evernote3\EvernoteTray.exe

O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe

O8 - Extra context menu item: Add to Evernote - res://C:\Program Files\Evernote\Evernote3\enbar.dll/2000

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.rit.edu/lib...s/ebraryRdr.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AUK.local

O17 - HKLM\Software\..\Telephony: DomainName = AUK.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AUK.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AUK.local

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = AUK.local

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: rbadzm - C:\WINDOWS\SYSTEM32\rbadzm.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe

O24 - Desktop Component 0: (no name) - http://www.netvibes.com/

--

End of file - 7925 bytes

Link to post
Share on other sites

Welcome to Malwarebytes!!!! :)

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

I just ran Combofix, but while it was running , i started getting some error windows. One of those windows was titled "hidec.exe", and the error was:

"The instruction...0x00010067 referenced...0x0027e368. The memory could not be "written".

Click OK to terminate the program"

I clicked OK, and 3-4 almost similar windows followed. I clicked OK in all of them.

Link to post
Share on other sites

Hi im infected with trojan DNSChanger, i tried to look for the infected files as mentioned in another forums, but can anyone tell me what to do??

im using malwarebyte here but it seems that it keeps on coming back after i remove it

file:///C:/Users/tan/Documents/Trojan.DNSChanger.jpg

and whenever i try to open the quarantine tab, the will be an error.

file:///C:/Users/tan/Documents/Quarantine.jpg

this is the log file after a full scan:

Malwarebytes' Anti-Malware 1.39

Database version: 2551

Windows 6.0.6001 Service Pack 1

4/8/2009 10:11:12 PM

mbam-log-2009-08-04 (22-11-12).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 68223

Time elapsed: 39 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Please download Sysprot Antirootkit

Unzip it into a folder on your desktop.

  • Double-Click Sysprot.exe to start the program.
  • Click on the log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the Bottom Right.
  • After a few seconds a new windows should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted too.
  • Open the text file and copy/paste the log here
Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.