Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Invaded By Malware And Trojans


  • This topic is locked This topic is locked
4 replies to this topic

#1 Herbssat

Herbssat

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 04 May 2008 - 07:02 PM

Hi. I am trying to solve a problem with malware and trojans. I have thrown just about every scan imaginable at this computer but trojans and other malware still continue to invade it. My most recent scan has been the malware antibytes and while doing it my AVG free antivirus started pulling all kinds of trojans out that I thought were gone. I have also installed the Mcafee firewall and have tried vundofix, combofix and superantispyware.The most recent scan of malware antibytes still found vundo, trojan agent, adware bho, and malware trace. I am going to attach my hijack this log in the next post. Thanks.
--------
--------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:59:20 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:PROGRA~1GrisoftAVG7avgamsvr.exe
C:PROGRA~1GrisoftAVG7avgupsvc.exe
c:program filesmcafee.comagentmcdetect.exe
c:PROGRA~1mcafee.comagentmctskshd.exe
C:Program FilesJavaj2re1.4.2_03binjusched.exe
C:Program FilesIntelModem Event MonitorIntelMEM.exe
C:PROGRA~1GrisoftAVG7avgcc.exe
C:Program FilesAnalog DevicesCoresmax4pnp.exe
C:PROGRA~1McAfee.comPERSON~1MpfTray.exe
C:PROGRA~1mcafee.comagentmcagent.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:PROGRA~1McAfee.comPERSON~1MpfService.exe
C:WINDOWSsystem32HPZipm12.exe
C:WINDOWSsystem32svchost.exe
C:PROGRA~1McAfee.comPERSON~1MpfAgent.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Program FilesTrend MicroHijackThislabooth1.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.my.att.net/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:PROGRA~1Yahoo!COMPAN~1Installscpnycomp5_5_7_0.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:PROGRA~1Yahoo!COMPAN~1Installscpnycomp5_5_7_0.dll
O4 - HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavaj2re1.4.2_03binjusched.exe
O4 - HKLM..Run: [IntelMeM] C:Program FilesIntelModem Event MonitorIntelMEM.exe
O4 - HKLM..Run: [IgfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP
O4 - HKLM..Run: [SoundMAXPnP] C:Program FilesAnalog DevicesCoresmax4pnp.exe
O4 - HKLM..Run: [MPFExe] C:PROGRA~1McAfee.comPERSON~1MpfTray.exe
O4 - HKLM..Run: [MCAgentExe] c:PROGRA~1mcafee.comagentmcagent.exe
O4 - HKLM..Run: [MCUpdateExe] c:PROGRA~1mcafee.comagentmcupdate.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:Program FilesYahoo!Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:Program FilesYahoo!Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavaj2re1.4.2_03binnpjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavaj2re1.4.2_03binnpjpi142_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:Program FilesYahoo!Messengeryhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~4OFFICE11REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...974/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:Program FilesDellSupportbrkrsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:program filesmcafee.comagentmcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:PROGRA~1mcafee.comagentmctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:PROGRA~1McAfee.comAgentmcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:PROGRA~1McAfee.comPERSON~1MpfService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe

--
End of file - 7600 bytes

Merged posts. ~ OB

Edited by Orange Blossom, 04 May 2008 - 10:04 PM.


BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 05 May 2008 - 04:36 PM

Hi

Your hijackthis log is clean :thumbsup:

AS you have run so many removal programs, they are probably finding the trojans in each others quarantine/backup folders ...

Please post some of the logs ... vundofix, combofix, superantispyware & Malwarebytes ...

I would also like to see a Kaspersky Online Scan

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
-
ALSO ...

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ...

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 6' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 Herbssat

Herbssat
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 06 May 2008 - 03:01 PM

Thanks for the reply. I will use your suggestion on a laptop that I think is infected. I have already wiped the desktop rather than being compromised. If I need any more help I will post a log.

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 06 May 2008 - 03:07 PM

OK :thumbsup:
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 21 May 2008 - 04:39 PM

Due to lack of feedback this topic is now closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users