Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Unknown Trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unknown Trojan

Unread postby richada41 » January 30th, 2008, 11:21 pm

Although it says in the forum title that I should post my log from hijackthis I have not downloaded and installed this yet but I can provide a log taken from AVG/Ewido which hopefully can be useful. If not I will get hijackthis and provide a second log.

I recently contracted what I originally thought was spyware, but might be a trojan. I have run a number of spyware/virus scanners and they all detect an unnamed trojan (it is simply named Win32 Trojan, but not more specific).

The symptoms are that it slows my computer down and messes with my internet. Whatever website I go to it starts opening links to everywhere and anywhere. This frequently leads to spyware removal tools such as "antispyware suite". I googled this and believe I am supposed to just close all the links.

Another symptom occurs on start up where I get the following message:

During a scan of files at systems startup, potential errors in the system registry were found. p07-0100 irql 1f sysver 0xff00024
NT_kernel error 1256
kmode_exception_not_handled

This messages comes up twice at the same time and again I close from the X rather than clicking okay in case it tries to install something new.

Next is log taken from Ewido/AVG. I ran the scans during safe mode in the hope that they would be able to disinfect files that were running in a normal windows mode.

==================
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:57:46 30/01/2008

+ Scan result:



C:\System Volume Information\_restore{17BA8639-DDC3-47C9-ACB3-E048E295FC6E}\RP128\A0007624.exe -> Adware.Agent : Cleaned.
C:\Program Files\MSN Gaming Zone\cece.html -> Hijacker.IFrame.dn : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe -> Not-A-Virus.Adware.PurityScan : Ignored.
C:\Program Files\Outerinfo\FF\components\FF.dll -> Not-A-Virus.Adware.ZenoSearch : Ignored.
C:\Documents and Settings\Rich\Cookies\rich@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@disneyintranet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@entrepreneur.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@heavycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@shopping.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ads.adengage[2].txt -> TrackingCookie.Adengage : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adrevolver[5].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@media.adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adtech[1].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adtech[3].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.adtrak[3].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@advertising[3].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@advertising[4].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adviva[2].txt -> TrackingCookie.Adviva : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[3].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[5].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@casalemedia[6].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@connextra[4].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@doubleclick[3].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@doubleclick[4].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@fastclick[4].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ehg-tigerdirect2.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@questionmarket[3].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@revsci[3].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@tacoda[3].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@m.webtrends[3].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[4].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@ad.yieldmanager[5].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Rich\Cookies\rich@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\UmljaGFyZCBBZGFtcw\oA53u3IVtF11t3IQwT.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\uninstall_nmon.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end
========================

Edit:

My log taken from hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:07:19, on 31/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PPATCH~1\netdde.exe
C:\WINDOWS\system32\??sks\?hkntfs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [04c24e01] rundll32.exe "C:\WINDOWS\system32\jalnajhy.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Atat] "C:\WINDOWS\system32\PPATCH~1\netdde.exe" -vt yazb
O4 - HKCU\..\Run: [Nkpjk] C:\WINDOWS\system32\??sks\?hkntfs.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 0091912875
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0091897125
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\hpjbkgep.exe (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\cece.html

--
End of file - 5781 bytes
richada41
Active Member
 
Posts: 2
Joined: January 30th, 2008, 10:39 pm
Advertisement
Register to Remove

Re: Unknown Trojan

Unread postby random/random » February 1st, 2008, 4:12 pm

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum as a reply to this topic

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the Malwarebytes' Anti-Malware log, the SDFix log and a new HijackThis log as a reply to this topic
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Unknown Trojan

Unread postby richada41 » February 2nd, 2008, 10:02 pm

SD Fix Report
-------------

SDFix: Version 1.135

Run by Rich on 02/02/2008 at 00:01

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu572.exe.tmp - Deleted
C:\WINDOWS\system32\pac.txt - Deleted


Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Program Files\Dot1XCfg - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed


Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 00:14:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\Rich\\Desktop\\Quake 3\\quake3.exe"="C:\\Documents and Settings\\Rich\\Desktop\\Quake 3\\quake3.exe:*:Enabled:quake3"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\aqbvspno.exe"="C:\\WINDOWS\\system32\\aqb"
"C:\\WINDOWS\\system32\\hpjbkgep.exe"="C:\\WINDOWS\\system32\\hpj"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 2 Feb 2008 31,892 ..SH. --- "C:\WINDOWS\system32\vzlcbltk.dllbox"
Mon 28 Jan 2008 230,400 ..SHR --- "C:\WINDOWS\system32\??sks\?hkntfs.exe"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\02bf78654a17f7da57a4be756b6657c6\download\BITFA.tmp"
Fri 1 Jun 2007 19,616 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0f66ac0b7ccd71faf6da904f29228240\download\BITC8.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\19abb7aa3cd1fb365336bb1970f8bcac\download\BIT10C.tmp"
Mon 28 Jan 2008 371,494 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\218766960d1465c026412385b0d1d978\download\BITCA.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\243c97729a3a8fbb5f1e18f85169b8de\download\BITD7.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\28b9e8891c9d2fde720f9c1779fbb3a2\download\BIT10D.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2a2715f6180c3bfa2a58178525f24c67\download\BIT107.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\37e5b122079a0c7ba85fcc8ce8310ad8\download\BITDC.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3f4a1c441b883836dd798a58e2267c01\download\BITE8.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\42c5126b69bac94caeec8fe01db46882\download\BITF6.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\44e64941e64e5067dd624ca4e27c2efd\download\BITFD.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4c3676a8145aee7e1ea794fa1e50e6bf\download\BIT116.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4ce0edaf0becf811dda5cbccda731ad4\download\BIT102.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f4012d60daff369f73873817164328b\download\BIT11A.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5cc724b3995f72ef3222dddf08658056\download\BITE2.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6e49db26b225c64ffbbd852b587ab944\download\BITEA.tmp"
Sat 4 Nov 2006 244,844 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\70a4fbe7217488f673cf5d20367dabc9\download\BITC9.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\77fb6133f53c27d91d3cee36a1c7aca3\download\BIT10B.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\794fe6c4497072d6b676dff316f341a2\download\BITDD.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\88aa16c08992a222297cc493fc329b20\download\BITFF.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\94ba036bb5fca2ae81a35216d14fcffa\download\BIT100.tmp"
Fri 30 Jun 2006 35,492 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\97a9b4183ee83502797f62c2c0b429cf\download\BITC4.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a0d45ac61d8a7a5b7faa78852c46bf15\download\BITDA.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab3ff7345e588ae6b96775dfd8c062ed\download\BITE5.tmp"
Wed 21 Nov 2007 91,332 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ada4d488d7d0854b79cefb8bc70c8d98\download\BITC6.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b2ebfcb0d3e31cb844250d8d3cdd9b7f\download\BITDF.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c810b29b22044bd72df654fd63ee0af2\download\BITD8.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ca5637d04d95ed9d000d812508931a7b\download\BIT106.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dbb0845a5e7327f0f30f61e848a77bc6\download\BIT110.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e21fd56f1f5bfc33771c50bc8a68808a\download\BIT10E.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1635eb0df6388580e55a87b2d1cd782\download\BIT105.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f54d9f16cafb3a043d81262b001f62f8\download\BITF1.tmp"
Mon 28 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f8c6a8157d1ed68b0b0f724babd8b17f\download\BITDB.tmp"

Finished!



Hijackthis log
------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:57:30, on 03/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\??sks\?hkntfs.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [04c24e01] rundll32.exe "C:\WINDOWS\system32\gkgxomvl.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Atat] "C:\WINDOWS\system32\PPATCH~1\netdde.exe" -vt ndrv
O4 - HKCU\..\Run: [Nkpjk] C:\WINDOWS\system32\??sks\?hkntfs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 0091912875
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 0091897125
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 5253 bytes



Unfortunately I do not have a log for Malware Bytes. I ran the program and it reached about 80000 files scanned and then stopped increasing. However at this point the number of infected files increased to over 11000. At this point I tried to abort and get a log but it crashed and I had to shut down.

Looking in my My Documents Folder and my Windows folder there are over 11000 files with the names:
pos1A1B.tmp and other various alterations.
On Malware bytes these were identified as malware traces, although unfortunately they were not removed because the program crashed. I do not really want to try it again because it'll just log another 11000 files and I have no idea when that would stop.

Is it safe to just delete all these tmp files from both the windows and my documents folders???

Thank you for your help
richada41
Active Member
 
Posts: 2
Joined: January 30th, 2008, 10:39 pm

Re: Unknown Trojan

Unread postby random/random » February 3rd, 2008, 7:24 am

Yes, those files should be safe to delete - which is part of what the following instructions will do

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Copy the contents of the following codebox to a notepad window

Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\aqbvspno.exe"=-
"C:\\WINDOWS\\system32\\hpjbkgep.exe"=-

 


Save it to the desktop as fix.reg, making sure save as type is set to all files

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt

  • Open a new notepad window (Start>All Programs>Accessories>Notepad)
  • Copy & paste the contents of the following codebox into the notepad window
    Code: Select all
    sc stop BITS
    del /a /f /s /q "%allusersprofile%\qmgr?.dat"
    del /a /f /s /q "%systemdrive%\pos???.tmp"
    del /a /f /s /q "%systemdrive%\pos????.tmp"
  • Click File > Save as
  • In the box labelled File name copy and paste cleanup.bat
  • Change Save as type to All Files
  • Save it to your desktop
  • Close the notepad window
  • Double click on cleanup.bat
  • A DOS window will come up briefly and then disappear, this is normal

After this, please see if you can successfully run Malwarebytes' antimalware
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Re: Unknown Trojan

Unread postby 'KotaGuy » February 20th, 2008, 12:55 pm

This topic is now closed due to inactivity. If you wish it to be reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware