Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Some sort of Trojan - Antivirus software didn't find it

  • This topic is locked This topic is locked
2 replies to this topic

#1 Neicul


  • Members
  • 1 posts
  • Local time:02:16 PM

Posted 06 December 2009 - 07:23 PM

I discovered that I have some malware on my computer when I logged into my World of Warcraft account and discovered that all my stuff was gone. I did a virus scan, and it didn't find anything. I got the Hijackthis log.

StartupList report, 12/6/2009, 4:03:15 PM
StartupList version: 1.52.2
Started from : E:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options

Running processes:

E:\Program Files\Logitech\iTouch\iTouch.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\F-Secure\Common\FSM32.EXE
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Windows Live\Messenger\msnmsgr.exe
E:\Program Files\Steam\Steam.exe
E:\Program Files\Electronic Arts\EADM\Core.exe
E:\Program Files\BitTorrent_DNA\btdna.exe
E:\Documents and Settings\Luc\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\OpenOffice.org 2.3\program\soffice.exe
E:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
E:\Program Files\F-Secure\Common\FSMA32.EXE
E:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\F-Secure\Common\FSMB32.EXE
E:\Program Files\F-Secure\Common\FCH32.EXE
E:\Program Files\F-Secure\Common\FAMEH32.EXE
E:\Program Files\F-Secure\Anti-Virus\fsqh.exe
E:\Program Files\F-Secure\FSGUI\fsguidll.exe
E:\Program Files\F-Secure\Anti-Virus\fssm32.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\F-Secure\FSAUA\program\fsaua.exe
E:\Program Files\F-Secure\Common\FNRB32.EXE
E:\Program Files\F-Secure\Common\FIH32.EXE
E:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
E:\Program Files\Windows Live\Contacts\wlcomm.exe
E:\Program Files\F-Secure\Anti-Virus\fsav32.exe
E:\Program Files\Java\jre6\bin\jucheck.exe
E:\Program Files\F-Secure\FSGUI\fsavgui.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe


Listing of startup folders:

Shell folders Startup:
[E:\Documents and Settings\Luc\Start Menu\Programs\Startup]
OpenOffice.org 2.3.lnk = E:\Program Files\OpenOffice.org 2.3\program\quickstart.exe

Shell folders Common Startup:
[E:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

Soltek = E:\WINDOWS\system32\autorun.exe
zBrowser Launcher = E:\Program Files\Logitech\iTouch\iTouch.exe
Kernel and Hardware Abstraction Layer = KHALMNPR.EXE
SunJavaUpdateSched = "E:\Program Files\Java\jre6\bin\jusched.exe"
AppleSyncNotifier = E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
F-Secure Manager = "E:\Program Files\F-Secure\Common\FSM32.EXE" /splash
F-Secure TNB = "E:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
QuickTime Task = "E:\Program Files\QuickTime\QTTask.exe" -atboottime
iTunesHelper = "E:\Program Files\iTunes\iTunesHelper.exe"
MS_MASTER = RUNDLL32.EXE E:\WINDOWS\system32\xml_inc.dll,i


Autorun entries from Registry:

MsnMsgr = "E:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
Steam = "E:\Program Files\Steam\Steam.exe" -silent
EA Core = "E:\Program Files\Electronic Arts\EADM\Core.exe" -silent
BitTorrent DNA = "E:\Program Files\BitTorrent_DNA\btdna.exe"
Octoshape Streaming Services = "E:\Documents and Settings\Luc\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun


Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

(no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {5C255C8A-E604-49b4-9D64-90988571CECB}
(no name) - E:\Program Files\XfireXO\tbXfir.dll - {5e5ab302-7f65-44cd-8211-c1d4caaccea3}
(no name) - E:\Program Files\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - E:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
JQSIEStartDetectorImpl - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}


Enumerating Task Scheduler jobs:

Scheduled scanning task.job


Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

[MSN Photo Upload Tool]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

[Solitaire Showdown Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\SolitaireShowdown.dll
CODEBASE = http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

[UnoCtrl Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\GAME_UNO1.dll
CODEBASE = http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab

[MessengerStatsClient Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

[Shockwave Flash Object]
InProcServer32 = E:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab


Enumerating Winsock LSP files:

NameSpace #4: E:\Program Files\Bonjour\mdnsNSP.dll


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\system32\webcheck.dll
SysTray: E:\WINDOWS\system32\stobject.dll
WPDShServiceObj: E:\WINDOWS\system32\WPDShServiceObj.dll

End of report, 8,858 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)


#2 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:03:16 PM

Posted 19 December 2009 - 08:52 PM


My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.

For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.

Thanks again and we apologize for the delay.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy


  • Malware Response Team
  • 12,975 posts
  • Gender:Male
  • Local time:03:16 PM

Posted 24 December 2009 - 12:13 PM


Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users