Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with Tesllar A Trojan


  • This topic is locked This topic is locked
5 replies to this topic

#1 gutlesswarrior

gutlesswarrior

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 04 December 2008 - 07:43 PM

My computer has been acting weird so I used the yahoo! scanner and it said I had a Tesllar A Trojan. I tried removing it through the program and manually but it wouldn't allow me. I have this same problem posted on a Dell Forum (http://en.community.dell.com/forums/p/19245223/19382911.aspx#19382911) but I wanted to come here too, just in case.

A few things you should know:
1. It seems as though the laptop will not allow me to log in every once and a while so I may have to do it remotely
2. I have very limited access to the internet now, as the trojan seems to block it, and cannot click on links or download many anti-malware programs
3. I'd prefer to do this remotely. I've heard that you can scan the computer through a LAN connection by a separate "clean" computer. If so, what kind of cable/wire is used for such a connection (ethernet?) and how do I do it? I would need easy step-by-step instructions please, I'm new to this kinda thing :thumbsup:
(edit) 4. I CANNOT access this site to download anything on the infected laptop.

Here's my HijackThis log in case you need it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:24 PM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\VXNlcg\command.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Perfect Defender 2009\pdfndr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\prunnet.exe
C:\Documents and Settings\jruiz\Application Data\gadcom\gadcom.exe
c:\windows\system32\rrwnw64q.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\rcntksdl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [{15-5C-CC-C3-DW}] c:\windows\system32\rrwnw64q.exe DWmmm01FF
O4 - HKLM\..\Run: [huxaugxdpujgndkyr] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ptgjhwfakrgpsdy.dll"
O4 - HKLM\..\Run: [c8015c6c] rundll32.exe "C:\WINDOWS\system32\qixxsxdh.dll",b
O4 - HKLM\..\Run: [Perfect Defender 2009] "C:\Program Files\Perfect Defender 2009\pdfndr.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rcntksdl.exe DWmmm01FF
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\jruiz\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [winhpdrv] "C:\Documents and Settings\jruiz\Application Data\Google\xtgoj6119471.exe"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\rcntksdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\rrwnw64q.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - (no file)
O9 - Extra button: (no name) - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Sametime JNI Loader ST30SP1 - http://chat.pristine.com/RTR/Packages/Same...STJNILoader.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.investors.com/member/ocx/WonSearchX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1079949885172
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.investors.com/member/ocx/WonList.ocx
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.237.57.178/activex/AxisCamControl.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {B7CF60D7-74FA-4A89-90DC-C56C9239360D} - http://files.blocks.com/SnapSheetInstall/S...eetsInstall.cab
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.investors.com/member/ocx/PFMngr.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ropakcorp.com
O17 - HKLM\Software\..\Telephony: DomainName = ropakcorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ropakcorp.com
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = ropakcorp.com
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = ropakcorp.com
O20 - AppInit_DLLs: yjokpu.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VXNlcg\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Edited by gutlesswarrior, 04 December 2008 - 07:45 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:49 AM

Posted 05 December 2008 - 02:28 AM

Hi,

It appears that this computer is already infected for more than a year!!! And to be honest, after being infected for so long - I fear this is a lost case here. Malware damages A LOT - so imagine how much it already damaged after a year. Also imagine how many other computers it already infected in a meanwhile, because an infected computer is responsible for infecting other computers as well (sending spam etc).

Does this computer belong to a company or used for work? Please answer this question first, because this is really important to know.
Also, is your Antivirus still up to date? Because I cannot believe it is up to date since so many older malware is still up and running.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 gutlesswarrior

gutlesswarrior
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 05 December 2008 - 10:39 PM

Hi,

It appears that this computer is already infected for more than a year!!! And to be honest, after being infected for so long - I fear this is a lost case here. Malware damages A LOT - so imagine how much it already damaged after a year. Also imagine how many other computers it already infected in a meanwhile, because an infected computer is responsible for infecting other computers as well (sending spam etc).

Does this computer belong to a company or used for work? Please answer this question first, because this is really important to know.
Also, is your Antivirus still up to date? Because I cannot believe it is up to date since so many older malware is still up and running.


Hmmm, I don't think it was as infected as it is now, but you probably know a lot more about it than I do. This computer used to be used for business, but now it is the "family computer" that only the kids use. The anitvirus system, McAfee, is up to date, just not on this computer. For some reason, my Dad did not have the foresight to install any kind of anti-virus system on this computer, which brings me to the main point of my topic.

Is there any way to link a computer thorough a wired LAN connection and scan it using a clean computer's antivirus system? I need to know ASAP because this may be the only way to help the comp as it seems to refuse to let me access any antivirus programs whatsoever.

edit: If not, I may just want to delete everything and reinstall as there is nothing of great importance on it.(I would prolly just reinstall WIN XP)

Edited by gutlesswarrior, 05 December 2008 - 10:40 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:49 AM

Posted 06 December 2008 - 01:39 AM

Hi,

The anitvirus system, McAfee, is up to date, just not on this computer

I only see Norton Antivirus on the infected computer and I'm pretty sure it's way outdated - or was a trial which already expired. That's why it is so important to have a working - up to date Antivirus present.

Is there any way to link a computer thorough a wired LAN connection and scan it using a clean computer's antivirus system? I need to know ASAP because this may be the only way to help the comp as it seems to refuse to let me access any antivirus programs whatsoever.

That doesn't suprise me at all. This is what malware does, it blocks Antivirus in the first place, blocks their sites and on top, it damages a lot.
You can still download the installer for an Antivirus to a clean computer and transfer it to the infected computer and hope it works.

* Please download Malwarebytes' Anti-Malware from Here or Here
If you can't download it, then download it to a clean computer and transfer it.

Then,

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

edit: If not, I may just want to delete everything and reinstall as there is nothing of great importance on it.(I would prolly just reinstall WIN XP)

To be honest, and in your case, that may be the fastest and especially the safest solution though...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 gutlesswarrior

gutlesswarrior
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 06 December 2008 - 04:51 PM

ok, the only problem right now is that I'm using the Dell forums right now and I just made a combofix log, so I'll probably wait to see if this works out. If it doesn't I'll be sure to let you know (if it does work I'll let you know as well).

So until then, feel free to help other people and thanks for your help so far :thumbsup:

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:49 AM

Posted 07 December 2008 - 03:37 AM

Well, if you are already receiving help somewhere else as well, then there's no need to have several threads running.
I just hope that the people who are helping you make you aware of the fact that - even though you cleaned up the infection manually, that you will never be able to trust this computer again - and errors / corruption will always be present - this especially since this computer was infected for so long and on top, you're dealing with a lot of nasty infections which compromise and steal passwords as well.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users