trojan horse

View previous topic View next topic Go down

trojan horse

Post by heliftsmeup on Sun Aug 02, 2009 2:32 pm

I keep getting a trojan horse clicker.aalx popup... I have run a virus scan from avg that won't clean it up...

Here is my logfile


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:30 AM, on 02/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\Documents\Downloads\winlogon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Chrisandra\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8FFE36E-D0E9-4ABD-A268-05DC051EA9EB}: NameServer = 85.255.112.109,85.255.112.192
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1E19A42-07FB-4981-BFBC-B77D53649020}: NameServer = 85.255.112.109,85.255.112.192
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.109,85.255.112.192
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.109,85.255.112.192
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10442 bytes

heliftsmeup
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-02
OS OS : vista
Points Points : 26839
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan horse

Post by Origin on Sun Aug 02, 2009 8:00 pm

Hello heliftsmeup,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.


  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan horse

Post by heliftsmeup on Wed Aug 05, 2009 11:23 pm

I did the first steps but when I go to the malware site, nothing comes up, it is a blank page

heliftsmeup
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-02
OS OS : vista
Points Points : 26839
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan horse

Post by Belahzur on Thu Aug 06, 2009 3:30 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: trojan horse

Post by heliftsmeup on Thu Aug 13, 2009 11:23 pm

Sorry, I am feeling like an idiot here, but my daughters computer is running on Vista and I cannot change the name before it downloads. It simply asks me if I trust the site then it does its own thing.... any suggestions? I don't know if it makes a difference but she is also using google chrome.

Thanks
Claire

heliftsmeup
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-02
OS OS : vista
Points Points : 26839
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan horse

Post by Belahzur on Fri Aug 14, 2009 6:41 pm

Hello.
Try downloading it without renaming, so what happens.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: trojan horse

Post by heliftsmeup on Fri Aug 14, 2009 7:05 pm

it keeps telling me windows has detected a problem that has stopped the program from working... no details

heliftsmeup
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-02
OS OS : vista
Points Points : 26839
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan horse

Post by Belahzur on Fri Aug 14, 2009 8:41 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: trojan horse

Post by heliftsmeup on Fri Aug 14, 2009 10:07 pm

MER 1.0.15.15020 [ekh3k27s.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-14 18:00:27
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 8608B518 ZwEnumerateKey
Code 8608B4E0 ZwFlushInstructionCache

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 81E7CFE2 5 Bytes JMP 8613B9EB
.text ntkrnlpa.exe!IofCallDriver 81EFEF6F 5 Bytes JMP 8613B9B2
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81FF530B 5 Bytes JMP 8608B4E4
PAGE ntkrnlpa.exe!ZwEnumerateKey 8204ABA2 5 Bytes JMP 8608B51C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73BF7BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73C398C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73BFD3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73BEF527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73BF7599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73BEE43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73C2B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73BFD68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73BF012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73BF0095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73BE71F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73C7D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73C175E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73BEDAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73BE668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73BE66BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73BF1E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

heliftsmeup
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-02
OS OS : vista
Points Points : 26839
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan horse

Post by Origin on Sat Aug 15, 2009 5:50 pm

Please download [You must be registered and logged in to see this link.]

  • Next run the file; *Note: If running vista right click and select run as administrator
  • Once opened, navigate to the log tab and select all the areas including the hidden objects only box and click on the create log button
  • A scan will start and then a window will pop up with two options, select scan all drives
  • Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan horse

Post by heliftsmeup on Sun Aug 16, 2009 5:32 pm

I was unable to right click to open as administrator, so I don't know if that changes anything, but here is the log that came up

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: CHRISANDRA-PC:49221
Remote Address: QB-IN-F100.GOOGLE.COM:HTTPS
Type: TCP
Process: 1264 (PID)
State: SYN_SENT

Local Address: CHRISANDRA-PC:49218
Remote Address: AN-IN-F91.GOOGLE.COM:HTTP
Type: TCP
Process: 3252 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49215
Remote Address: QW-IN-F102.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49191
Remote Address: YO-IN-F166.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49189
Remote Address: HE-IN-F189.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49188
Remote Address: VX-IN-F132.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49187
Remote Address: YO-IN-F103.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49186
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49185
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49184
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49183
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49182
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49181
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49174
Remote Address: VW-IN-F95.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49173
Remote Address: HE-IN-F18.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49172
Remote Address: HE-IN-F18.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49171
Remote Address: HE-IN-F18.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49170
Remote Address: VX-IN-F97.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49169
Remote Address: HE-IN-F18.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49168
Remote Address: YO-IN-F103.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49196
Remote Address: LOCALHOST:49193
Type: TCP
Process: 3560 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49193
Remote Address: LOCALHOST:49196
Type: TCP
Process: 2896 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49193
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2896 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49162
Remote Address: LOCALHOST:27015
Type: TCP
Process: 3312 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:27015
Remote Address: LOCALHOST:49162
Type: TCP
Process: 536 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: 536 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1096 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:4664
Remote Address: 0.0.0.0:0
Type: TCP
Process: 3252 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: 668 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: 680 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1264 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1168 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: 620 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 980 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:62706
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

Local Address: CHRISANDRA-PC:5353
Remote Address: NA
Type: UDP
Process: 1096 (PID)
State: NA

Local Address: CHRISANDRA-PC:SSDP
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

Local Address: CHRISANDRA-PC:138
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: CHRISANDRA-PC:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: CHRISANDRA-PC:62707
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

Local Address: CHRISANDRA-PC:62604
Remote Address: NA
Type: UDP
Process: 1264 (PID)
State: NA

Local Address: CHRISANDRA-PC:53392
Remote Address: NA
Type: UDP
Process: 3372 (PID)
State: NA

Local Address: CHRISANDRA-PC:SSDP
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

Local Address: CHRISANDRA-PC:55352
Remote Address: NA
Type: UDP
Process: 1096 (PID)
State: NA

Local Address: CHRISANDRA-PC:52906
Remote Address: NA
Type: UDP
Process: 1096 (PID)
State: NA

Local Address: CHRISANDRA-PC:LLMNR
Remote Address: NA
Type: UDP
Process: 1072 (PID)
State: NA

Local Address: CHRISANDRA-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: 1264 (PID)
State: NA

Local Address: CHRISANDRA-PC:500
Remote Address: NA
Type: UDP
Process: 1264 (PID)
State: NA

Local Address: CHRISANDRA-PC:123
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found

heliftsmeup
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-02
OS OS : vista
Points Points : 26839
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan horse

Post by Belahzur on Sun Aug 16, 2009 7:02 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: trojan horse

Post by heliftsmeup on Sun Aug 16, 2009 7:32 pm

DDS (Ver_09-07-30.01) - NTFSx86
Run by Chrisandra at 15:29:08.42 on 16/08/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.3062.2007 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\IDT\WDM\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Chrisandra\Documents\Downloads\SysProt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Chrisandra\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [Google Update] "c:\users\chrisandra\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\chrisa~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: cantireu.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - [You must be registered and logged in to see this link.]
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - [You must be registered and logged in to see this link.]
DPF: {15B782AF-55D8-11D1-B477-006097098764} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - [You must be registered and logged in to see this link.]
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - [You must be registered and logged in to see this link.]
TCP: NameServer = 85.255.112.109,85.255.112.192
TCP: {B8FFE36E-D0E9-4ABD-A268-05DC051EA9EB} = 85.255.112.109,85.255.112.192
TCP: {F1E19A42-07FB-4981-BFBC-B77D53649020} = 85.255.112.109,85.255.112.192
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,avgrsstx.dll c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-27 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-11 327688]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-4 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-3 29744]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-08-14 15:01 318,976 a------- c:\windows\system32\CF16936.exe
2009-08-13 19:13 318,976 a------- c:\windows\system32\CF13593.exe
2009-08-13 19:12 318,976 a------- c:\windows\system32\CF13358.exe
2009-08-13 19:11 318,976 a------- c:\windows\system32\CF12395.exe
2009-08-08 22:12 --dsh--- C:\found.000
2009-08-05 16:26 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-05 16:26 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-05 16:26 --d----- c:\program files\iPod
2009-08-05 16:26 --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 16:26 --d----- c:\program files\iTunes
2009-08-05 16:26 --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-02 10:20 --d----- c:\users\chrisandra\.SunDownloadManager
2009-07-31 19:23 --d----- c:\users\chrisa~1\appdata\roaming\OpenSong
2009-07-31 19:17 --d----- c:\program files\OpenSong
2009-07-27 14:48 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-27 14:34 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-27 14:32 -cd-h--- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 14:32 -cd-h--- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 14:32 --d----- c:\programdata\Lavasoft
2009-07-27 14:32 --d----- c:\program files\Lavasoft
2009-07-27 14:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-27 14:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-27 14:16 --d----- c:\programdata\Malwarebytes
2009-07-27 14:16 --d----- c:\progra~2\Malwarebytes
2009-07-27 14:16 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 14:00 --d----- c:\programdata\WindowsSearch

==================== Find3M ====================

2009-08-05 16:23 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-05 16:23 86,016 a------- c:\windows\inf\infstor.dat
2009-08-05 16:23 51,200 a------- c:\windows\inf\infpub.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-01 17:39 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 17:39 11,952 a------- c:\windows\system32\avgrsstx.dll
2008-09-11 21:26 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-05-12 16:06 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-12 16:06 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-12 16:06 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 15:29:35.23 ===============

heliftsmeup
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-08-02
OS OS : vista
Points Points : 26839
# Likes # Likes : 0

View user profile

Back to top Go down

Re: trojan horse

Post by Belahzur on Sun Aug 16, 2009 9:11 pm

Hello.
No rootkit by the looks ok it, GMER isn't flagging anything.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O17 - HKLM\System\CCS\Services\Tcpip\..\{B8FFE36E-D0E9-4ABD-A268-05DC051EA9EB}: NameServer = 85.255.112.109,85.255.112.192
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F1E19A42-07FB-4981-BFBC-B77D53649020}: NameServer = 85.255.112.109,85.255.112.192
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.109,85.255.112.192
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.109,85.255.112.192


  • Press "Fix Checked"
  • Close Hijack This.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum