Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Clicker?


  • Please log in to reply
1 reply to this topic

#1 TIFFANY_TOO

TIFFANY_TOO

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 26 August 2008 - 03:33 PM

My AV Program found 4 Trojans and deleted them. But, its still doing the same thing. Its opening and closing windows, clicking on icons, starting programs, changing the volume, opening up a lot of search boxes. etc. It's chaotic. I want to stop it. Please help me.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:52 PM, on 8/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network

Monitor\WLService.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network

Monitor\WUSB54Gv42.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Defender Pro\Defender Pro Internet

Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Microsoft Shared\Works

Shared\WkCalRem.exe
C:\Program Files\Defender Pro\Defender Pro Internet

Security 6.0\avz.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Defender Pro\Defender Pro Internet

Security 6.0\avz.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Bar =

http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb

/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search

Page =

http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp

/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Bar =

http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yi

e6/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,

(Default) =

http://red.clientapps.yahoo.com/customize/ycomp/defaults/su

/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window

Title = Microsoft Internet Explorer provided by Yahoo!
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = ;localhost;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-

892F-0090271D4F88} - C:\PROGRA~1\Yahoo!

\Companion\Installs\cpn9\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage",

"www.thelancasternews.com"); (C:\Documents and

Settings\TIFFANY\Application

Data\Mozilla\Profiles\default\qg8017ns.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%

206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and

Settings\TIFFANY\Application

Data\Mozilla\Profiles\default\qg8017ns.slt\prefs.js)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-

9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!

\Companion\Installs\cpn9\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-

4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10

\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn9

\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-

Touch\OneTouch.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32

\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [PreloadApp]

c:\hp\drivers\printers\photosmart\hphprld.exe

c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32

\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program

Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program

Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program

Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default

Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI

Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [F5D9050] C:\Program

Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Defender

Pro\Defender Pro Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program

Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"

AcRdB7_0_8
O4 - Startup: Microsoft Office OneNote 2003 Quick

Launch.lnk = C:\Program Files\Microsoft Office One

Note\OFFICE11\ONENOTEM.EXE
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common

Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk =

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk =

C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk =

C:\Program Files\Kodak\Kodak EasyShare

software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector

Registration Tool.lnk = C:\Program

Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: Add to Anti-Banner -

C:\Program Files\Defender Pro\Defender Pro Internet

Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_10

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-

4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-

8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Defender

Pro\Defender Pro Internet Security 6.0\scieplugin.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C

-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5

-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!

\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-

00010333D0AD} - C:\Program Files\Yahoo!

\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-

4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!

\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-

00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910

-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {C23D8BF6-40C7-4630-881F-

244C7EE41F89} - C:\Program Files\COMPAQ\Compaq

Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish

Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData

Class) -

http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000}

(YahooYMailTo Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/y

mmapi_416.dll
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1}

(FujifilmUploader Class) -

http://photo.walmart.com/photo/uploads/FujifilmUploadClient

.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09}

(Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-

JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite

/autocomplete.cab
O20 - AppInit_DLLs: WIKI.DLL,C:\PROGRA~1\DEFEND~1

\DEFEND~1.0\adialhk.dll
O23 - Service: Defender Pro Internet Security (AVP) -

Defender Pro - C:\Program Files\Defender Pro\Defender Pro

Internet Security 6.0\avz.exe
O23 - Service: HP Configuration Interface Service

(HPConfig) - Hewlett-Packard - C:\WINDOWS\system32

\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. -

C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark

International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service

(NPFMntor) - Unknown owner - C:\Program Files\Norton

AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32

\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32

\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -

Unknown owner - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner -

C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program

Files\Linksys Wireless-G USB Wireless Network

Monitor\WLService.exe

--
End of file - 11139 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:49 PM

Posted 11 September 2008 - 07:26 AM

Hello Tiffany and welcome at BleepingComputer,

Sorry to have kept you waiting for so long, but the forums are really busy.
If you still need help :

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, and you receive a warning that a newer version is available, then please download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users