Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Trojan Problem

Unread postby silver » June 16th, 2008, 2:28 am

Hi sin_fury,

Don't worry about the two entries missing from the Add/Remove Programs list, that's no problem.
With regard to the file upload, there should be a file on your Desktop called [32]-Submit_YYYY-MM-DD@HH.SS.zip where YYYY-MM-DD and HH.SS is the date and time of the ComboFix scan. Please upload it as follows:

Please open this page in your browser:
http://www.bleepingcomputer.com/submit- ... channel=32

Fill in the link to topic field with a link to this topic
Press the Browse button, browse to and select the [32]-Submit_YYYY-MM-DD@HH.SS.zip file on your Desktop, then press Send File, this will upload the file for analysis.

------------------------------------------------------------------------

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:
cmd /c dir "c:\windows\*srv*.*" /a /s >> "%userprofile%\desktop\look.txt" & notepad "%userprofile%\desktop\look.txt"
A black box will open and a file will appear on your Desktop called look.txt.
Please wait for look.txt to open in Notepad automatically.
Post the contents of look.txt in your next response.

------------------------------------------------------------------------

Clean with MalwareBytes' Anti-Malware
  • Please download the Installer to your Desktop from here:
    http://www.besttechie.net/tools/mbam-setup.exe
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to both of these options:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure everything is checked, and click Remove Selected.
  • When finished, a log will open in Notepad. Please save it to your Desktop, and post the contents in your reply.
  • The log can also be found here if you need it:
    • Start->All Programs->Malwarebytes' Anti-Malware->Logs

------------------------------------------------------------------------

Once complete, please post the look.txt output, the MalwareBytes Antimalware report and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

Re: Trojan Problem

Unread postby sin_fury » June 16th, 2008, 2:46 am

Here are the logs you asked for

Volume in drive C has no label.
Volume Serial Number is 4CA4-3F2A

Directory of c:\windows\$hf_mig$\KB885835\SP2QFE

10/27/2004 08:28 PM 721,920 lsasrv.dll
1 File(s) 721,920 bytes

Directory of c:\windows\$hf_mig$\KB888302\SP2QFE

12/07/2004 02:29 PM 96,768 srvsvc.dll
1 File(s) 96,768 bytes

Directory of c:\windows\$hf_mig$\KB890859\SP2QFE

03/02/2005 01:19 PM 291,328 winsrv.dll
1 File(s) 291,328 bytes

Directory of c:\windows\$hf_mig$\KB893756\SP2QFE

07/08/2005 11:28 AM 249,344 tapisrv.dll
1 File(s) 249,344 bytes

Directory of c:\windows\$hf_mig$\KB896422\SP2QFE

05/09/2005 07:22 PM 332,544 srv.sys
1 File(s) 332,544 bytes

Directory of c:\windows\$hf_mig$\KB900725\SP2QFE

08/31/2005 08:44 PM 291,840 winsrv.dll
1 File(s) 291,840 bytes

Directory of c:\windows\$hf_mig$\KB902400\SP2QFE

07/25/2005 11:20 PM 225,792 catsrv.dll
07/25/2005 11:20 PM 625,152 catsrvut.dll
2 File(s) 850,944 bytes

Directory of c:\windows\$hf_mig$\KB917159\SP2QFE

04/21/2006 01:46 AM 332,800 srv.sys
1 File(s) 332,800 bytes

Directory of c:\windows\$hf_mig$\KB923414\SP2QFE

08/14/2006 07:00 AM 332,928 srv.sys
1 File(s) 332,928 bytes

Directory of c:\windows\$hf_mig$\KB924270\SP2QFE

08/17/2006 07:37 AM 726,528 lsasrv.dll
1 File(s) 726,528 bytes

Directory of c:\windows\$hf_mig$\KB930178\SP2QFE

03/17/2007 08:45 AM 292,864 winsrv.dll
1 File(s) 292,864 bytes

Directory of c:\windows\$hf_mig$\KB943485\SP2QFE

11/07/2007 04:50 AM 727,040 lsasrv.dll
1 File(s) 727,040 bytes

Directory of c:\windows\$NtUninstallKB885835$

08/10/2004 07:00 AM 721,920 lsasrv.dll
1 File(s) 721,920 bytes

Directory of c:\windows\$NtUninstallKB888302$

08/10/2004 07:00 AM 96,768 srvsvc.dll
1 File(s) 96,768 bytes

Directory of c:\windows\$NtUninstallKB890859$

08/10/2004 07:00 AM 290,816 winsrv.dll
1 File(s) 290,816 bytes

Directory of c:\windows\$NtUninstallKB893756$

08/10/2004 07:00 AM 246,272 tapisrv.dll
1 File(s) 246,272 bytes

Directory of c:\windows\$NtUninstallKB896422$

08/10/2004 07:00 AM 336,256 srv.sys
1 File(s) 336,256 bytes

Directory of c:\windows\$NtUninstallKB900725$

03/02/2005 01:09 PM 291,328 winsrv.dll
1 File(s) 291,328 bytes

Directory of c:\windows\$NtUninstallKB902400$

08/10/2004 07:00 AM 229,888 catsrv.dll
08/10/2004 07:00 AM 628,224 catsrvut.dll
2 File(s) 858,112 bytes

Directory of c:\windows\$NtUninstallKB917159$

05/09/2005 07:17 PM 332,544 srv.sys
1 File(s) 332,544 bytes

Directory of c:\windows\$NtUninstallKB923414$

04/21/2006 01:12 AM 332,800 srv.sys
1 File(s) 332,800 bytes

Directory of c:\windows\$NtUninstallKB924270$

10/27/2004 08:21 PM 721,920 lsasrv.dll
1 File(s) 721,920 bytes

Directory of c:\windows\$NtUninstallKB930178$

08/31/2005 08:41 PM 291,840 winsrv.dll
1 File(s) 291,840 bytes

Directory of c:\windows\$NtUninstallKB943485$

08/17/2006 07:28 AM 721,920 lsasrv.dll
1 File(s) 721,920 bytes

Directory of c:\windows\Help

08/10/2004 07:00 AM 48,494 file_srv.chm
08/10/2004 07:00 AM 32,400 sys_srv.chm
08/10/2004 07:00 AM 19,459 timesrv.chm
3 File(s) 100,353 bytes

Directory of c:\windows\inf

08/10/2004 07:00 AM 22,554 divasrv.inf
09/08/2005 01:22 AM 23,804 divasrv.PNF
2 File(s) 46,358 bytes

Directory of c:\windows\Prefetch

06/11/2008 10:35 PM 55,262 LIVESRV.EXE-0013331D.pf
06/16/2008 12:39 AM 21,046 WMIAPSRV.EXE-1E2270A5.pf
2 File(s) 76,308 bytes

Directory of c:\windows\system32

08/10/2004 07:00 AM 42,496 audiosrv.dll
08/10/2004 07:00 AM 52,736 basesrv.dll
07/25/2005 11:39 PM 225,792 catsrv.dll
08/10/2004 07:00 AM 85,504 catsrvps.dll
07/25/2005 11:39 PM 625,152 catsrvut.dll
08/10/2004 07:00 AM 33,280 clipsrv.exe
08/10/2004 07:00 AM 32,768 csrsrv.dll
08/10/2004 07:00 AM 380,957 expsrv.dll
09/08/2005 01:15 AM <DIR> inetsrv
11/07/2007 04:26 AM 721,920 lsasrv.dll
03/26/1998 12:00 AM 38,160 MAPISRVR.EXE
08/10/2004 07:00 AM 10,496 mcdsrv32.dll
08/10/2004 07:00 AM 32,768 mnmsrvc.exe
08/10/2004 07:00 AM 16,896 qappsrv.exe
08/10/2004 07:00 AM 415,744 samsrv.dll
08/10/2004 07:00 AM 313,856 scesrv.dll
08/10/2004 07:00 AM 442,368 sqlsrv32.dll
08/10/2004 07:00 AM 90,112 sqlsrv32.rll
12/07/2004 02:32 PM 96,768 srvsvc.dll
08/10/2004 07:00 AM 71,680 ssdpsrv.dll
07/08/2005 11:27 AM 249,344 tapisrv.dll
08/10/2004 07:00 AM 295,424 termsrv.dll
08/10/2004 07:00 AM 102,457 usrv42a.dll
08/10/2004 07:00 AM 49,209 usrv80a.dll
08/10/2004 07:00 AM 45,116 usrvoica.dll
08/10/2004 07:00 AM 49,211 usrvpa.dll
03/17/2007 08:43 AM 292,864 winsrv.dll
08/10/2004 07:00 AM 91,648 xactsrv.dll
27 File(s) 4,904,726 bytes

Directory of c:\windows\system32\dllcache

08/10/2004 07:00 AM 42,496 audiosrv.dll
08/10/2004 07:00 AM 52,736 basesrv.dll
07/25/2005 11:39 PM 225,792 catsrv.dll
08/10/2004 07:00 AM 85,504 catsrvps.dll
07/25/2005 11:39 PM 625,152 catsrvut.dll
08/10/2004 07:00 AM 33,280 clipsrv.exe
08/10/2004 07:00 AM 32,768 csrsrv.dll
08/10/2004 07:00 AM 380,957 expsrv.dll
11/07/2007 04:26 AM 721,920 lsasrv.dll
08/10/2004 07:00 AM 10,496 mcdsrv32.dll
08/10/2004 07:00 AM 32,768 mnmsrvc.exe
08/03/2004 09:58 PM 7,552 mskssrv.sys
08/10/2004 07:00 AM 16,896 qappsrv.exe
08/10/2004 07:00 AM 415,744 samsrv.dll
08/10/2004 07:00 AM 313,856 scesrv.dll
08/14/2006 05:34 AM 332,928 srv.sys
12/07/2004 02:32 PM 96,768 srvsvc.dll
08/10/2004 07:00 AM 71,680 ssdpsrv.dll
07/08/2005 11:27 AM 249,344 tapisrv.dll
08/10/2004 07:00 AM 295,424 termsrv.dll
08/10/2004 07:00 AM 49,209 usrv80a.dll
08/10/2004 07:00 AM 45,116 usrvoica.dll
08/10/2004 07:00 AM 49,211 usrvpa.dll
03/17/2007 08:43 AM 292,864 winsrv.dll
08/10/2004 07:00 AM 126,464 wmiapsrv.exe
08/10/2004 07:00 AM 91,648 xactsrv.dll
26 File(s) 4,698,573 bytes

Directory of c:\windows\system32\drivers

08/03/2004 09:58 PM 7,552 MSKSSRV.sys
02/27/2004 10:04 AM 4,608 ProcObsrv.sys
08/14/2006 05:34 AM 332,928 srv.sys
3 File(s) 345,088 bytes

Directory of c:\windows\system32\wbem

08/10/2004 07:00 AM 126,464 wmiapsrv.exe
1 File(s) 126,464 bytes

Total Files Listed:
90 File(s) 20,787,214 bytes
1 Dir(s) 34,552,479,744 bytes free

Malwarebytes' Anti-Malware 1.17
Database version: 859

2:04:40 AM 6/16/2008
mbam-log-6-16-2008 (02-04-40).txt

Scan type: Quick Scan
Objects scanned: 40617
Time elapsed: 7 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\abar.abarband.1 (Adware.Accoona) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\SoftwareDoctor (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\SoftwareDoctor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\SoftwareDoctor\ErrorDoctor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SoftwareDoctor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SoftwareDoctor\ErrorDoctor (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\47713750 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\SoftwareDoctor\ErrorDoctor\ErrorDoctor.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SoftwareDoctor\ErrorDoctor\ErrorDoctor.lnk (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\SoftwareDoctor\ErrorDoctor\Uninstall.lnk (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:44 AM, on 6/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7269 bytes
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby silver » June 16th, 2008, 3:03 am

Hi sin_fury,

Make hidden/system files and folders visible:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Show hidden files and folders
UNCHECK the Hide extensions for known file types option
UNCHECK the Hide protected operating system files (recommended) option
Click Yes to confirm and press OK

Use Windows Explorer (right-click Start, select Explore) to find and delete the following folders:
C:\Documents and Settings\Administrator\Application Data\Itch bags surf
C:\Documents and Settings\Administrator\Application Data\WarezGhost
If you have trouble finding or deleting either of these, please let me know in your next response.

------------------------------------------------------------------------

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

------------------------------------------------------------------------

Once complete, please post the Kaspersky report and a new HijackThis log.
Also, let me know how your computer is running now.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Trojan Problem

Unread postby sin_fury » June 17th, 2008, 12:45 am

Things seem to be going much more smoothly. Startup is much quicker than it used to be. The scan took a LONG time... 12 hours and 40 minutes. I think I had problems with McAfee interfering and whatnot. It's not as easy to disable because there is no "M" icon in the bottom right, just a shield with a V in it. I had to set it so On Access scan didn't run on startup. Anyway, here are the logs.

uesday, June 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 14:33:21
Records in database: 872820
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 134078
Threat name 8
Infected objects 15
Suspicious objects 0
Duration of the scan 12:40:31

File name Threat name Threats count
C:\mirc-mod4\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
C:\QooBox\Quarantine\C\Program Files\NewDotNet\nncore.dll.vir Infected: not-a-virus:AdWare.Win32.NewDotNet.m 1
C:\QooBox\Quarantine\C\WINDOWS\system32\baauyxhf.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\cicashqq.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Winfj62.sys.vir Infected: Trojan-Dropper.Win32.Agent.son 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fvobmqjh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.yjp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lffouncn.dll.vir Infected: Trojan.Win32.Monderb.a 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vcqrpvko.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUlJaxy.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\WinCtrl32.dll.vir Infected: Trojan-Downloader.Win32.Mutant.aea 1
C:\QooBox\Quarantine\C\WINDOWS\system32\WinCtrl32.dl_.vir Infected: Trojan-Downloader.Win32.Mutant.agh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wrfchfqj.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Monderb.gen 1
C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Mutant.agh 2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:25 AM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IconixBHOClass Class - {761233B6-F228-49E4-8F6B-668499D4E55A} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IconixOEAddOn] "C:\Program Files\Iconix\OEAddOn\OEdmn_3.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: Email ID Preferences - {400A6CFA-E326-4d61-A90C-9AD75358DC5F} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra 'Tools' menuitem: About Email ID - {BC3F6B6D-2E49-4603-B028-7411655713F3} - C:\Program Files\Iconix\IEAddOn\IconixBHO_32.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 7091 bytes
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby silver » June 17th, 2008, 1:08 am

Hi sin_fury,

That was a long scan, far longer than usual so I expect it did have to do with McAfee, but I'm glad your system is running better.

You should now delete SDFix.exe, dss.exe, deljob.exe and undll.exe - but leave ComboFix for the moment. Also delete these folders:
C:\Deckard
C:\SDFix


Next press Start->Run, copy/paste the following command into the box and press OK:
ComboFix /u
You should receive a message that ComboFix was uninstalled.

------------------------------------------------------------------------

If the above went well, I think your machine is clean of malware :) here are some tips to help you keep it that way:

I recommend you install a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
Also: subscribe to the mailing list to get update notifications.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins or ActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Find out more about how to prevent infection in the future
http://forum.malwareremoval.com/viewtopic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Trojan Problem

Unread postby sin_fury » June 17th, 2008, 2:29 am

Thank you so much for all your help. When I first started having problems I thought I had things under control. I thought I'd look up the infection under symantec or some such site with removal instructions, and it appears I was in way over my head. I stumbled upon HiJack this in my google searches of the trojan name, and I must say I am overly thankful I did. It's amazing the things you and all the staff do to help us unfortunates out at many different forums. I only wish there was something else I could say or do other than thank you.
sin_fury
Regular Member
 
Posts: 46
Joined: June 11th, 2008, 1:52 am

Re: Trojan Problem

Unread postby silver » June 17th, 2008, 2:44 am

You're most welcome and we are very happy to have helped.
I thought I'd look up the infection under symantec or some such site with removal instructions, and it appears I was in way over my head.
I wish it was that easy, but unfortunately it's not. Nowadays, malware is harder to remove than ever and it takes 6-12 months to train a helper to clean machines safely.

I only wish there was something else I could say or do other than thank you.
There's one thing you could do...read the advice I posted, surf safely and try not to get reinfected! :D

Take care sin_fury and best of luck :)
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Re: Trojan Problem

Unread postby silver » June 20th, 2008, 9:57 pm

This topic is now closed
We are pleased to have been of assistance in getting you clean.

If you have been helped and wish to donate with the costs of this volunteer site, you can do so using this link
Donations For Malware Removal
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware