Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Possible Trojan/worm/keylogger


  • This topic is locked This topic is locked
2 replies to this topic

#1 itsric05

itsric05

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 14 June 2008 - 09:44 AM

Hello All,

I think i def have had some sort of infection on my computer, problem is i really do not know what to do, i have been searching the forums and saw alot of the time it was suggested to use Trend Micro HiJackThis via "DSS" so i have done this and the results are below:



Deckard's System Scanner v20071014.68
Run by ItsRic on 2008-06-14 16:07:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
32: 2008-06-14 15:07:32 UTC - RP60 - Deckard's System Scanner Restore Point
31: 2008-06-12 08:00:44 UTC - RP59 - Removed LEGO® Indiana Jones™ Demo
30: 2008-06-10 18:39:36 UTC - RP58 - Software Distribution Service 3.0
29: 2008-06-02 12:49:15 UTC - RP57 - System Checkpoint
28: 2008-05-29 13:41:19 UTC - RP56 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-16 20:37:12 UTC - RP29 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as ItsRic.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:08:48, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Documents and Settings\ItsRic\Desktop\Zone Alarm\spyware thingy\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ItsRic.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet-f1.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BA3BAF69-72B1-4BCE-BE96-A4D304EAFBB4} (PhotoBox uploader) - http://www.photobox.co.uk/assets/aurigma/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5607 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.2.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.5.2.0>

S3 ALSysIO - c:\docume~1\owner\locals~1\temp\alsysio.sys (file missing)
S3 SjyPkt - c:\windows\system32\drivers\sjypkt.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8185 54M Wireless LAN Network Adapter
Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_818510EC&REV_20\4&19ABE7DE&0&00F0
Manufacturer: Realtek
Name: Realtek RTL8185 54M Wireless LAN Network Adapter
PNP Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_818510EC&REV_20\4&19ABE7DE&0&00F0
Service: rtl8185


-- Scheduled Tasks -------------------------------------------------------------

2008-06-12 09:14:08 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-14 15:59:07 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-14 15:59:07 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-14 15:59:07 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-14 15:59:07 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-14 15:59:07 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-14 15:59:07 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-14 15:59:07 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-14 15:59:07 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-14 15:59:07 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-14 15:59:07 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-14 15:59:07 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-14 15:59:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-06-14 15:59:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-14 15:59:06 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-14 15:59:06 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-14 15:59:06 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-14 15:36:09 0 d-------- C:\Program Files\Trend Micro
2008-06-14 14:41:19 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-14 14:41:01 0 d-------- C:\Program Files\Spyware Doctor
2008-06-14 14:41:01 0 d-------- C:\Documents and Settings\ItsRic\Application Data\PC Tools
2008-06-12 09:17:47 0 d-------- C:\Program Files\iPod
2008-05-27 19:06:10 106496 --a------ C:\WINDOWS\system32\PixText.dll <Not Verified; ; PixText Dynamic Link Library>
2008-05-27 19:06:10 32256 --a------ C:\WINDOWS\system32\PixologyIRISS.dll <Not Verified; Pixology Ltd.; Pixology IRISS>
2008-05-27 19:06:06 212480 --a------ C:\WINDOWS\system32\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit>
2008-05-27 19:06:06 230400 --a------ C:\WINDOWS\system32\DC265.DLL <Not Verified; Eastman Kodak Company; DC265 SDK Win32 Ver.1.0.0600>
2008-05-27 19:06:06 434176 --a------ C:\WINDOWS\system32\DC120V15_32.DLL <Not Verified; Eastman Kodak Japan; DC120 SDK Library Win32 Ver.1.5>
2008-05-27 19:06:06 0 d-------- C:\Program Files\Tesco
2008-05-27 18:15:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-27 18:14:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-05-27 18:04:08 0 d-------- C:\Program Files\Windows Media Connect 2
2008-05-27 18:03:12 0 d-------- C:\WINDOWS\system32\LogFiles
2008-05-27 18:03:12 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-27 18:02:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-20 21:40:18 0 d-------- C:\WINDOWS\system32\COD4MW Screensaver dir
2008-05-20 21:39:18 520192 --a------ C:\WINDOWS\system32\Grand Theft Auto IV Screenshot.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2008-05-20 21:39:18 0 d-------- C:\WINDOWS\system32\Grand Theft Auto IV Screenshot dir


-- Find3M Report ---------------------------------------------------------------

2008-06-14 14:26:04 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-13 17:50:25 0 d-------- C:\Program Files\Bonjour
2008-06-12 09:21:28 0 d-------- C:\Program Files\Apple Software Update
2008-06-12 09:17:59 0 d-------- C:\Program Files\iTunes
2008-06-12 09:16:58 0 d-------- C:\Program Files\QuickTime
2008-05-26 11:55:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-04 21:43:26 0 d-------- C:\Program Files\Common Files
2008-05-04 20:59:07 50 --a------ C:\AUTOEXEC.BAT
2008-05-04 20:58:15 0 d-------- C:\Program Files\PIXELA
2008-04-16 12:59:57 0 d-------- C:\Program Files\rFactor
2008-04-10 13:02:04 546 --a------ C:\WINDOWS\eReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/12/2007 02:41]
"nwiz"="nwiz.exe" [05/12/2007 02:41 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/12/2007 02:41]
"RTHDCPL"="RTHDCPL.EXE" [12/04/2007 18:33 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 19:43 C:\WINDOWS\Alcmtr.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/06/2008 11:13]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [10/04/2008 15:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [09/10/2006 07:51]

C:\Documents and Settings\ItsRic\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [26/10/2006 21:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
REALTEK RTL8185 Wireless LAN Utility.lnk - C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe [14/01/2008 13:44:19]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




-- End of Deckard's System Scanner: finished at 2008-06-14 16:09:35 ------------

-----------------------------------

This makes no sense to me what so ever.....i have used ZoneAlarm and now Spyware Doctor to try and find and clear these. Zonealarm appears to detect them but for some reason doesn't do anything with them. As it is scan files, i see a file name Win32.Trojan..... flash by however like i say it doesnt appear to do anything with it.

I really hope someone can help with this.

Thank you in advance

Edited by itsric05, 14 June 2008 - 10:13 AM.


BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 06 July 2008 - 08:18 AM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

I apologize for the wait, if your issues are not resolved, read the instructions posted above and then follow the directions below. If you no longer need help, I would appreciate a quick post letting me know so I can close your topic.

If you have not resolved these issues, here is some feedback.

1) HJT can't show everything, but nothing that looks like malware is showing in this HJT log.

2) If you are still having these issues, provide more information, anything you think will help. What security programs is showing you what. Post a new HijackThis log using Add Reply.
I would like to help, but I need more information to provide a direction to look in.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 15 July 2008 - 05:23 PM

There has been no response to this topic in a week
This topic is closed
Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users