Jump to content
Sign in to follow this  
06Honda

Trojan Issue

Recommended Posts

Windows XP Home Edition SP2

Issue summary: Cannot update any programs at all. Cannot do a windows update. All links selected within your site give me an IE error page. When ever I do a search in google it takes me to a page to buy some software every time. All of my favorites saved before this started allow me to go to those sites.

Log 1: Malwarebytes' Anti-Malware 1.30

Database version: 1306

Windows 5.1.2600 Service Pack 2

11/12/2008 7:59:20 PM

mbam-log-2008-11-12 (19-59-20).txt

Scan type: Quick Scan

Objects scanned: 43268

Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSbubx.log (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSScfgb.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\TDSSnmxh.log (Trojan.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\TDSSnrsr.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\TDSSoeqh.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\TDSSriqp.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\TDSSthym.dll (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\drivers\TDSSpaxt.sys (Rootkit.Agent) -> Delete on reboot.

Log 2: Malwarebytes' Anti-Malware 1.30

Database version: 1391

Windows 5.1.2600 Service Pack 2

11/13/2008 5:26:14 PM

mbam-log-2008-11-13 (17-26-14).txt

Scan type: Full Scan (C:\|)

Objects scanned: 72108

Time elapsed: 19 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{3DCD8EEC-7469-41B2-AD90-AFDA28CD5DC9}\RP2\A0000001.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\TDSSosvn.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\TDSS9909.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Log 3: Malwarebytes' Anti-Malware 1.30

Database version: 1391

Windows 5.1.2600 Service Pack 2

11/13/2008 5:53:46 PM

mbam-log-2008-11-13 (17-53-40).txt

Scan type: Full Scan (C:\|)

Objects scanned: 72082

Time elapsed: 19 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{3DCD8EEC-7469-41B2-AD90-AFDA28CD5DC9}\RP2\A0000032.sys (Trojan.Downloader) -> No action taken.

Log 4: Windows 5.1.2600 Service Pack 2

11/13/2008 7:08:12 PM

mbam-log-2008-11-13 (19-08-08).txt

Scan type: Full Scan (C:\|)

Objects scanned: 72358

Time elapsed: 19 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{3DCD8EEC-7469-41B2-AD90-AFDA28CD5DC9}\RP2\A0000042.sys (Trojan.Downloader) -> No action taken.

One item keeps being found after following instructions and rebooting. Is this a false reading or something else as far as malware.

Share this post


Link to post
Share on other sites

Hi, and Welcome to MalwareBytes :blink:

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Share this post


Link to post
Share on other sites

After running Malwarebytes several times everything is back to normal, nothing found anymore. I will continue to run scans to keep an eye on things. The programs I currently started using to deal with junk are AVast; SuperAntiSpyware; Ad-aware; Hijack Retaliator & Hijack this. Thanks for the post back.

Share this post


Link to post
Share on other sites
After running Malwarebytes several times everything is back to normal, nothing found anymore. I will continue to run scans to keep an eye on things. The programs I currently started using to deal with junk are AVast; SuperAntiSpyware; Ad-aware; Hijack Retaliator & Hijack this. Thanks for the post back.

Here is my Hijack log, lots on it but I have not selected anything to be fixed yet?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:50:37 AM, on 11/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [bHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://www.computerhope.com

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196566958671

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1197506489312

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab

O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9EE3030C-F343-4733-AD52-8F9BCD80F3F3}: NameServer = 199.246.2.115 199.246.2.4

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - (no file)

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--

End of file - 5132 bytes

Share this post


Link to post
Share on other sites

Hi.

Fix this item in HijackThis:

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - (no file)

If you want me to check if there's anything left from your infection please do the following:

Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

---------------------------------------------------

  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.

Are you having any more problems with your computer?

Thanks.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.