Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Trojan?


  • Please log in to reply
9 replies to this topic

#1 agushis

agushis

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 31 March 2009 - 07:42 AM

Hi all!!
Here is my problem:
I have 2 computers in my house: one is mine and the other is my moms notebook.
On sunday my mom calls me and tells me she thinks she has a trojan in her notebook. I told her to run a scan and wait for me to come home. The scan showed up nothing but the AVG kept saying that there was a trojan (it always changed where it was).
Yesterday, the AVG said that the trojan had moved to my computer (we have a couple of shared folders) so i tried to download an antivirus (cause i didnt have any) but it wouldnt let me. I tried avg, panda, nod32 but firefox keeps saying that it cant find the server and to check operator services; so i installed an old version of avg that i found in my computer and run a scan (but it showed up nothing). I also removed the shared folders.
Today i get an alarm saying that i have the trojan and that it was in "C:\\" (i cant remember the name of the file,,it was Esomething.exe) -.- i told the avg to delete it and went to C:\\ to see if it was gone. I didnt found that file but it founded these: ijmaxk.exe, npgdqn.exe and yapf.exe i googled them and i got here :thumbsup: . In the post said to download Malwarebytes Anti-Malware but.... it wouldnt let me go to that page -.-
So now it restarts itself every couple of minutes and i dont know what to do..
Help?

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 31 March 2009 - 08:03 AM

Hi

Download BIT (mirror) to your desktop.
Unzip the file. (Tutorial)
Doubleclick on BIT.exe. The program will launch.
Now choose option 3. Create a startup report.
Post the logfile in your next reply.

#3 agushis

agushis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 31 March 2009 - 08:06 AM

Blackbird's Information Tool (BIT) STARTUPREPORT
BIT v1.1

Microsoft Windows XP [Versión 5.1.2600]
-----------------------------------------------------


Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\Run
--------------------------------------------------------------------------------

"MSMSGS"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"


Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\Run
--------------------------------------------------------------------------------

"SiS KHooker"="C:\\WINDOWS\\system32\\khooker.exe"
"AVG8_TRAY"="C:\\ARCHIV~1\\AVG\\AVG8\\avgtray.exe"
"Microsoft® System Manager"="C:\\WINDOWS\\system32\\sysmgr.exe"
"sysmgr"="C:\\WINDOWS\\system32\\sysmgr.exe"
"KernelFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,6b,\
00,00,00






Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
--------------------------------------------------------------------------------

Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
--------------------------------------------------------------------------------

"csrcs"="C:\\WINDOWS\\system32\\csrcs.exe"
"sysmgr"="C:\\WINDOWS\\system32\\sysmgr.exe"


Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
--------------------------------------------------------------------------------



Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
--------------------------------------------------------------------------------


--- End of file ---

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 31 March 2009 - 08:16 AM

Hi,

1. We need to backup the registry before we continue.
Registry edits can be potentially dangerous; we can revert to the backup if needed.
Go to Start ╗ Run ╗ type: regedit ╗ OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File ╗ Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File ╗ Exit.
2. Open Notepad.
Copy this into the Notepad-file:

REGEDIT4

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"sysmgr"=-
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"csrcs"=-
"sysmgr"=-


Go to File - Save as.
Fill in the following values:
Save in: Desktop
Filename: fix.reg
File type: All files (*.*).
Now, doubleclick on fix.reg.

3. Restart your computer.

4. Create a new logfile (option 3) with BIT, and post the logfile in your next reply.

#5 agushis

agushis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 31 March 2009 - 08:30 AM

nicee..it restarted itself like 3 or 4 times while i was doing this -.-


Blackbird's Information Tool (BIT) STARTUPREPORT
BIT v1.1

Microsoft Windows XP [Versión 5.1.2600]
-----------------------------------------------------


Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\Run
--------------------------------------------------------------------------------

"MSMSGS"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"


Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\Run
--------------------------------------------------------------------------------

"SiS KHooker"="C:\\WINDOWS\\system32\\khooker.exe"
"AVG8_TRAY"="C:\\ARCHIV~1\\AVG\\AVG8\\avgtray.exe"
"Microsoft® System Manager"="C:\\WINDOWS\\system32\\sysmgr.exe"
"sysmgr"="C:\\WINDOWS\\system32\\sysmgr.exe"
"KernelFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,6b,\
00,00,00






Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
--------------------------------------------------------------------------------

Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
--------------------------------------------------------------------------------

"csrcs"="C:\\WINDOWS\\system32\\csrcs.exe"
"sysmgr"="C:\\WINDOWS\\system32\\sysmgr.exe"


Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
--------------------------------------------------------------------------------



Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
--------------------------------------------------------------------------------


--- End of file ---

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 31 March 2009 - 08:32 AM

Do step 2 again. Make a new logfile (option 3), and also a logfile with option 1 (driver report)

#7 agushis

agushis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 31 March 2009 - 08:34 AM

Startup report:

Blackbird's Information Tool (BIT) STARTUPREPORT
BIT v1.1

Microsoft Windows XP [Versión 5.1.2600]
-----------------------------------------------------


Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\Run
--------------------------------------------------------------------------------

"MSMSGS"="\"C:\\Archivos de programa\\Messenger\\msmsgs.exe\" /background"


Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\Run
--------------------------------------------------------------------------------

"SiS KHooker"="C:\\WINDOWS\\system32\\khooker.exe"
"AVG8_TRAY"="C:\\ARCHIV~1\\AVG\\AVG8\\avgtray.exe"
"Microsoft® System Manager"="C:\\WINDOWS\\system32\\sysmgr.exe"
"sysmgr"="C:\\WINDOWS\\system32\\sysmgr.exe"
"KernelFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,6b,\
00,00,00






Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
--------------------------------------------------------------------------------

Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
--------------------------------------------------------------------------------

"csrcs"="C:\\WINDOWS\\system32\\csrcs.exe"
"sysmgr"="C:\\WINDOWS\\system32\\sysmgr.exe"


Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
--------------------------------------------------------------------------------



Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
--------------------------------------------------------------------------------



Contents of HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
--------------------------------------------------------------------------------

Contents of HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
--------------------------------------------------------------------------------


--- End of file ---


Driver report:

Blackbird's Information Tool (BIT) DRIVERREPORT
BIT v1.1

Microsoft Windows XP [Versión 5.1.2600]
-----------------------------------------------------



Nombre del m Nombre para mostrar Tipo de contr Fecha de vínculo
============ ====================== ============= ======================
ACPI Controlador Microsoft Ke 04/08/2004 03:07:35 a.
ACPIEC ACPIEC Ke 17/08/2001 05:57:55 p.
aec Eliminador de eco acús Ke 13/02/2004 12:20:15 p.
AFD AFD Ke 04/08/2004 03:14:13 a.
AsyncMac Controlador de medios Ke 04/08/2004 03:05:02 a.
atapi Controladora estándar Ke 04/08/2004 02:59:41 a.
Atmarpc Protocolo cliente ATM Ke 04/08/2004 02:58:29 a.
audstub Controlador auxiliar d Ke 17/08/2001 05:59:40 p.
AvgLdx86 AVG Free AVI Loader Dr Ke 14/07/2008 03:46:33 p.
AvgMfx86 AVG Free On-access Sca File Sy 26/06/2008 12:19:13 p.
AvgTdiX AVG Free8 Network Redi Ke 03/06/2008 10:20:43 a.
Beep Beep Ke 17/08/2001 05:47:33 p.
cbidf2k cbidf2k Ke 17/08/2001 05:52:06 p.
Cdaudio Cdaudio Ke 17/08/2001 05:52:26 p.
Cdfs Cdfs File Sy 04/08/2004 03:14:09 a.
Cdrom Controlador de CD-ROM Ke 04/08/2004 02:59:52 a.
cmuda C-Media WDM Audio Inte Ke 23/08/2004 05:21:10 a.
Disk Controlador de disco Ke 04/08/2004 02:59:53 a.
dmboot dmboot Ke 04/08/2004 03:07:13 a.
dmio Controlador del admini Ke 04/08/2004 03:07:13 a.
dmload dmload Ke 17/08/2001 05:58:15 p.
DMusic Sintetizador DLS Kerne Ke 04/08/2004 03:07:37 a.
drmkaud Descodificador de audi Ke 04/08/2004 03:07:56 a.
Fastfat Fastfat File Sy 04/08/2004 03:14:15 a.
Fdc Controlador de la unid Ke 04/08/2004 02:59:25 a.
Fips Fips Ke 17/08/2001 10:31:49 p.
Flpydisk Controlador de disquet Ke 04/08/2004 02:59:24 a.
FltMgr FltMgr File Sy 04/08/2004 03:01:17 a.
Ftdisk Controlador del admini Ke 17/08/2001 05:52:41 p.
Gpc Clasificador de paquet Ke 04/08/2004 03:04:11 a.
hidusb Controlador de clases Ke 17/08/2001 06:02:16 p.
HTTP HTTP Ke 04/08/2004 03:00:09 a.
i8042prt Teclado i8042 y contro Ke 04/08/2004 03:14:36 a.
Imapi Controlador de filtro Ke 04/08/2004 03:00:12 a.
intelppm Controlador de procesa Ke 04/08/2004 02:59:19 a.
Ip6Fw Controlador de Firewal Ke 04/08/2004 03:00:04 a.
IpFilterDriv Controlador de filtro Ke 17/08/2001 05:55:07 p.
IpInIp Controlador de túnel I Ke 04/08/2004 03:04:45 a.
IpNat Traductor de direccion Ke 04/08/2004 03:04:48 a.
IPSec Controlador IPSEC Ke 04/08/2004 03:14:27 a.
IRENUM Servicio enumerador IR Ke 04/08/2004 03:00:45 a.
isapnp Controlador de bus PnP Ke 17/08/2001 05:58:01 p.
Kbdclass Controlador de clase d Ke 04/08/2004 02:58:32 a.
kmixer Mezclador de audio de Ke 04/08/2004 03:07:46 a.
KSecDD KSecDD Ke 04/08/2004 02:59:45 a.
mnmdd mnmdd Ke 17/08/2001 05:57:28 p.
Modem Modem Ke 04/08/2004 03:08:04 a.
Mouclass Controlador de clase d Ke 04/08/2004 02:58:32 a.
mouhid Controlador HID de mou Ke 17/08/2001 05:47:57 p.
MountMgr MountMgr Ke 04/08/2004 02:58:29 a.
MRxDAV Redirector de cliente File Sy 04/08/2004 03:00:49 a.
MRxSmb MRXSMB File Sy 04/08/2004 03:15:14 a.
Msfs Msfs File Sy 04/08/2004 03:00:37 a.
MSKSSRV Proxy de servicio de t Ke 04/08/2004 02:58:39 a.
MSPCLOCK Proxy del reloj de tra Ke 04/08/2004 02:58:38 a.
MSPQM Proxy del administrado Ke 04/08/2004 02:58:39 a.
mssmbios Controlador BIOS de Mi Ke 04/08/2004 03:07:47 a.
Mup Mup File Sy 04/08/2004 03:15:20 a.
NDIS Controlador de sistema Ke 19/03/2009 08:57:38 p.
NdisTapi Controlador TAPI NDIS Ke 17/08/2001 05:55:29 p.
Ndisuio Protocolo E/S en modo Ke 04/08/2004 03:03:10 a.
NdisWan Controlador WAN NDIS d Ke 04/08/2004 03:14:30 a.
NDProxy Proxy NDIS Ke 17/08/2001 05:55:30 p.
NetBIOS Interfaz de NetBIOS File Sy 04/08/2004 03:03:19 a.
NetBT NetBios a través de Tc Ke 04/08/2004 03:14:36 a.
Npfs Npfs File Sy 04/08/2004 03:00:38 a.
Ntfs Ntfs File Sy 04/08/2004 03:15:06 a.
Null Null Ke 17/08/2001 05:47:39 p.
NwlnkFlt Controlador de filtro Ke 17/08/2001 05:54:05 p.
NwlnkFwd Controlador retransmis Ke 17/08/2001 05:54:08 p.
Parport Controlador de puerto Ke 04/08/2004 02:59:04 a.
PartMgr PartMgr Ke 17/08/2001 10:32:23 p.
ParVdm ParVdm Ke 17/08/2001 05:49:49 p.
PCI PCI Bus Driver Ke 04/08/2004 03:07:45 a.
PCIIde PCIIde Ke 17/08/2001 05:51:49 p.
Pcmcia Pcmcia Ke 04/08/2004 03:07:45 a.
PptpMiniport Minipuerto WAN (PPTP) Ke 04/08/2004 03:14:26 a.
Ptilink Controlador de vínculo Ke 17/08/2001 05:49:53 p.
PxHelp20 PxHelp20 Ke 02/02/2007 06:23:57 p.
RasAcd Controlador de conexió Ke 17/08/2001 05:55:39 p.
Rasl2tp Minipuerto WAN (L2TP) Ke 04/08/2004 03:14:21 a.
RasPppoe Controlador de acceso Ke 04/08/2004 03:05:06 a.
Raspti Paralelo directo Ke 17/08/2001 05:55:32 p.
Rdbss Rdbss File Sy 04/08/2004 03:20:05 a.
RDPCDD RDPCDD Ke 17/08/2001 05:46:56 p.
rdpdr Controlador de redirec Ke 04/08/2004 03:01:10 a.
RDPWD RDPWD Ke 04/08/2004 02:59:01 a.
redbook Controlador de filtro Ke 04/08/2004 02:59:34 a.
Secdrv Secdrv Ke 09/02/2001 01:51:30 p.
serenum Controlador de filtro Ke 04/08/2004 02:59:06 a.
Serial Controlador de puerto Ke 04/08/2004 03:15:51 a.
Sfloppy Sfloppy Ke 04/08/2004 02:59:53 a.
SiS315 SiS315 Ke 29/05/2003 11:42:05 p.
sisagp SiS AGP Filter Ke 12/01/2003 11:43:54 p.
SiSkp SiSkp Ke 14/05/2003 05:09:16 a.
SISNIC Controlador de adaptad Ke 29/10/2003 04:55:09 a.
splitter Divisor de audio del n Ke 04/08/2004 03:07:46 a.
sr Controlador de filtro File Sy 04/08/2004 03:06:22 a.
Srv Srv File Sy 04/08/2004 03:14:44 a.
swenum Controlador del bus de Ke 04/08/2004 02:58:41 a.
swmidi Sintetizador de tabla Ke 17/08/2001 06:00:42 p.
sysaudio Dispositivo de sonido Ke 04/08/2004 03:15:54 a.
Tcpip Controlador de protoco Ke 04/08/2004 03:14:39 a.
TDPIPE TDPIPE Ke 04/08/2004 02:58:53 a.
TDTCP TDTCP Ke 04/08/2004 02:58:52 a.
TermDD Controlador de disposi Ke 04/08/2004 02:58:52 a.
Udfs Udfs File Sy 04/08/2004 03:00:27 a.
Update Dispositivo de actuali Ke 04/08/2004 02:58:32 a.
usbhub Concentrador habilitad Ke 04/08/2004 03:08:40 a.
usbohci Controlador minipuerto Ke 04/08/2004 03:08:34 a.
USBSTOR Dispositivo de almacen Ke 04/08/2004 03:08:44 a.
Vax347b Vax347b Ke 25/04/2005 04:43:56 a.
Vax347s Vax347s Ke 30/04/2004 03:32:58 a.
VgaSave VgaSave Ke 04/08/2004 03:07:06 a.
VolSnap VolSnap Ke 04/08/2004 03:00:14 a.
Wanarp Controlador ARP IP de Ke 04/08/2004 03:04:57 a.
wdmaud Controlador de compati Ke 04/08/2004 03:15:03 a.
WS2IFSL Entorno de compatibili Ke 17/08/2001 05:55:58 p.



---EOF---

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 31 March 2009 - 08:37 AM

Hi,

I'm going to redirect you to the HijackThissection of this forum. This, because it's a deeper infection.
Read this page and follow it's steps: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If you can't make a HJT report, please give them a link to this topic. They'll handle it anyway then. :thumbsup:

Good luck. :flowers:

Edited by superbird, 31 March 2009 - 08:37 AM.


#9 agushis

agushis
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 31 March 2009 - 08:38 AM

thanks for your help ^^
i think im going to kill my mom xD

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 31 March 2009 - 08:39 AM

Don't kill her, she has the right to live! :thumbsup:

Good luck, when you have questions about posting your log, you can ask them here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users