Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Multiple Tojans found

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Multiple Tojans found

Unread postby jasinnis » December 2nd, 2010, 10:52 am

My son got on my laptop and viewed videos from YouTube. Almost immediately after, a program called Win Defragmentor opened on my computer telling me there were critical errors on my HD. I did some research and found that this was, in fact, malware and can be inadvertantly installed from malicious websites and/or malicious video codecs, etc, which makes sense given that he was just on YouTube.

I ran HijackThis and found some suspicious entries. As a result, I ran Super AntiSpyware, which found multiple tojans. After quarantine and removal and a restart, I then rescanned with Malware Bytes, which then also found multiple trojans. Again, after quarantine and removal, I reran HijackThis and found there are now multiple URLs listed as "Trusted" and multiple IP addresses listed as "Trusted".

Below is the log of HiJackThis. There was no uninstall list, as the laptop hadn't been used in about a year (I dug it out because I had similar issues with our desktop, which appear to now be corrected after multiple scans).

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:15:52 AM, on 12/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Java\JavaService\JavaService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\AE69E9.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://conn.skype.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [T-Mobile webConnect Manager] "C:\Program Files\T-Mobile\webConnect Manager\TMobileCM.exe" -a
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.acuscreen.com
O15 - Trusted Zone: ezlm.adp.com
O15 - Trusted Zone: payex.adp.com
O15 - Trusted Zone: portal.adp.com
O15 - Trusted Zone: *.asthmacommunityonline.com
O15 - Trusted Zone: http://aza-lite.astrazeneca-us.com
O15 - Trusted Zone: *.astrazeneca-us.com
O15 - Trusted Zone: sd.auxis-its.com
O15 - Trusted Zone: http://sps.auxis.com
O15 - Trusted Zone: *.aventis.com
O15 - Trusted Zone: http://*.bbk-survey
O15 - Trusted Zone: elt.cachefly.net
O15 - Trusted Zone: *.cashproweb.com
O15 - Trusted Zone: studymanager.clinilabs.com
O15 - Trusted Zone: ess.datis.com
O15 - Trusted Zone: *.diabetescommunityonline.com
O15 - Trusted Zone: adp.eease.com
O15 - Trusted Zone: home.eease.com
O15 - Trusted Zone: http://www.facebook.com
O15 - Trusted Zone: http://us2.five9.co
O15 - Trusted Zone: us2.five9.com
O15 - Trusted Zone: *.five9.com
O15 - Trusted Zone: *.healthcarehost.net
O15 - Trusted Zone: messenger.hotmail.com
O15 - Trusted Zone: http://*.knipper-client.com
O15 - Trusted Zone: *.novartis.com
O15 - Trusted Zone: extranet.na.novartis.net
O15 - Trusted Zone: loginnet.passport.com
O15 - Trusted Zone: *.quality3.com
O15 - Trusted Zone: *.realize.com
O15 - Trusted Zone: *.realizeband.com
O15 - Trusted Zone: *.sanofi-aventis.com
O15 - Trusted Zone: *.sensei.com
O15 - Trusted Zone: static.suitesmart.com
O15 - Trusted Zone: *.tcnsurvey.com
O15 - Trusted Zone: http://webmail.tmshealth.com
O15 - Trusted Zone: *.tmshealth.com
O15 - Trusted Zone: *.transerainc.net
O15 - Trusted Zone: *.acuscreen.com (HKLM)
O15 - Trusted Zone: ezlm.adp.com (HKLM)
O15 - Trusted Zone: payex.adp.com (HKLM)
O15 - Trusted Zone: portal.adp.com (HKLM)
O15 - Trusted Zone: *.asthmacommunityonline.com (HKLM)
O15 - Trusted Zone: http://aza-lite.astrazeneca-us.com (HKLM)
O15 - Trusted Zone: *.astrazeneca-us.com (HKLM)
O15 - Trusted Zone: sd.auxis-its.com (HKLM)
O15 - Trusted Zone: http://sps.auxis.com (HKLM)
O15 - Trusted Zone: *.aventis.com (HKLM)
O15 - Trusted Zone: http://*.bbk-survey (HKLM)
O15 - Trusted Zone: elt.cachefly.net (HKLM)
O15 - Trusted Zone: *.cashproweb.com (HKLM)
O15 - Trusted Zone: studymanager.clinilabs.com (HKLM)
O15 - Trusted Zone: ess.datis.com (HKLM)
O15 - Trusted Zone: *.diabetescommunityonline.com (HKLM)
O15 - Trusted Zone: adp.eease.com (HKLM)
O15 - Trusted Zone: home.eease.com (HKLM)
O15 - Trusted Zone: http://www.facebook.com (HKLM)
O15 - Trusted Zone: http://us2.five9.co (HKLM)
O15 - Trusted Zone: us2.five9.com (HKLM)
O15 - Trusted Zone: *.five9.com (HKLM)
O15 - Trusted Zone: *.healthcarehost.net (HKLM)
O15 - Trusted Zone: messenger.hotmail.com (HKLM)
O15 - Trusted Zone: http://*.knipper-client.com (HKLM)
O15 - Trusted Zone: *.novartis.com (HKLM)
O15 - Trusted Zone: extranet.na.novartis.net (HKLM)
O15 - Trusted Zone: loginnet.passport.com (HKLM)
O15 - Trusted Zone: *.quality3.com (HKLM)
O15 - Trusted Zone: *.realize.com (HKLM)
O15 - Trusted Zone: *.realizeband.com (HKLM)
O15 - Trusted Zone: *.sanofi-aventis.com (HKLM)
O15 - Trusted Zone: *.sensei.com (HKLM)
O15 - Trusted Zone: static.suitesmart.com (HKLM)
O15 - Trusted Zone: *.tcnsurvey.com (HKLM)
O15 - Trusted Zone: http://webmail.tmshealth.com (HKLM)
O15 - Trusted Zone: *.tmshealth.com (HKLM)
O15 - Trusted Zone: *.transerainc.net (HKLM)
O15 - Trusted IP range: http://10.0.5.62
O15 - Trusted IP range: http://172.10.23.28
O15 - Trusted IP range: http://10.0.5.101
O15 - Trusted IP range: http://0.0.0.164
O15 - Trusted IP range: http://164.109.35.187
O15 - Trusted IP range: http://172.10.23.13
O15 - Trusted IP range: http://127.0.0.1
O15 - Trusted IP range: http://10.0.5.62 (HKLM)
O15 - Trusted IP range: http://172.10.23.28 (HKLM)
O15 - Trusted IP range: http://10.0.5.101 (HKLM)
O15 - Trusted IP range: http://0.0.0.164 (HKLM)
O15 - Trusted IP range: http://164.109.35.187 (HKLM)
O15 - Trusted IP range: http://172.10.23.13 (HKLM)
O15 - Trusted IP range: http://127.0.0.1 (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 5762547754
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5762479348
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/astr ... der_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ucn.webex.com/client/T25L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmshealth.com
O17 - HKLM\Software\..\Telephony: DomainName = tmshealth.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmshealth.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: JESS-Workstation - Alexandria Software Consulting + Multiplan Consultants - C:\Java\JavaService\JavaService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: T-Mobile RcApp Svc (TMobileRcAppSvc) - SmithMicro Inc. - C:\Program Files\T-Mobile\webConnect Manager\RcAppSvc.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 13465 bytes
jasinnis
Active Member
 
Posts: 1
Joined: December 2nd, 2010, 10:41 am
Advertisement
Register to Remove

Re: Multiple Tojans found

Unread postby Gary R » December 2nd, 2010, 6:33 pm

I see you are posting for help for a "Business" computer.

May I draw your attention to THIS topic, which you should have read before posting for help.

The sections ....
.... explain why we do not offer help for such computers.

This topic is now closed
User avatar
Gary R
Administrator
Administrator
 
Posts: 21869
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware