Jump to content

Trojan.Metajuan


RGRG

Recommended Posts

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Hi Miekie,

Need your help getting rid of Trojan.Metajuan virus. I downloaded combofix and run the program. Here's the log.

ComboFix 09-08-27.02 - Karma Rabten 08/27/2009 21:56.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.240 [GMT -4:00]

Running from: c:\documents and settings\Karma Rabten\Desktop\aComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Installer\46963d.msi

c:\windows\system32\drivers\ndisrd.sys

c:\windows\system32\drivers\UACxubrftalnk.sys

c:\windows\system32\ndisapi.dll

c:\windows\system32\UACbymbpxtmpj.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACmxexyaxnvp.dat

c:\windows\system32\UACpiqwhpymbq.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

-------\Legacy_NDISRD

-------\Service_NDISRD

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))

.

2009-08-28 01:35 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-28 01:35 . 2009-08-28 01:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-28 01:35 . 2009-08-28 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-28 01:35 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 03:29 . 2009-08-28 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-08-26 03:17 . 2009-08-26 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-08-15 18:33 . 2009-08-15 18:33 -------- d-----w- c:\program files\Common Files\Uninstall

2009-08-15 18:33 . 2009-08-26 03:53 -------- d-----w- c:\program files\PersonalAV

2009-08-11 23:47 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-26 04:07 . 2009-03-07 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-26 03:23 . 2009-03-07 20:48 -------- d-----w- c:\program files\Symantec AntiVirus

2009-08-05 09:01 . 2001-08-23 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-15 18:43 . 2009-02-17 05:55 -------- d-----w- c:\documents and settings\Karma Rabten\Application Data\Apple Computer

2009-07-14 03:43 . 2004-08-04 07:56 286208 ------w- c:\windows\system32\wmpdxm.dll

2009-06-26 16:50 . 2001-08-23 12:00 666624 ----a-w- c:\windows\system32\wininet.dll

2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll

2009-06-25 08:25 . 2001-08-23 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2001-08-23 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2001-08-23 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2001-08-23 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2001-08-23 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2001-08-23 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 12:31 . 2001-08-23 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2001-08-23 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2001-08-23 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2009-02-14 05:34 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2001-08-23 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2001-08-23 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-02-25 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-02-25 118784]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-10-16 1368064]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-10-16 1191936]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Karma Rabten\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [5/22/2009 10:51 AM 55152]

S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Karma Rabten\Application Data\Mozilla\Firefox\Profiles\1b82mer2.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-27 22:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)

c:\windows\system32\netprovcredman.dll

- - - - - - - > 'explorer.exe'(3836)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\WiFi\bin\S24EvMon.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-08-28 22:05 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-28 02:05

Pre-Run: 23,843,942,400 bytes free

Post-Run: 24,188,776,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

143 --- E O F --- 2009-08-19 06:06

Would greatly appreciate your help.

Thanks!

Link to post
Share on other sites

  • Staff

Hi,

I split your thread since you posted in someone elses thread.

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.