Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected With Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 x_nihilo

x_nihilo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 31 January 2010 - 09:56 PM

This is my first post on any forum like this...so I apologize if I've screwed up already. But I've heard this is the best place to be for help, so I'm giving it a shot.

I have IObit Security 360, Malwarebyte's Anti-Malware, and Trend Micro HijackThis. I ran a scan with HijackThis and saved the log, but that's the extent of my use with HijackThis so far.

The scan returned this & a description saying "...This way of loading a .dll is hardly ever used, except by trojans."...:

[ O20 - AppInit_DLLs: C:PROGRA~1GoogleGOOGLE~1GOEC62~1.DLL ]

I have absolutely no idea if that's helpful, but that's one thing that stood out.

What else do you need to know? Thanks in advance for your help and your patience.

I guess you need more info, I'm just not sure what you need exactly. Here's the log from the HijackThis scan I ran a few minutes ago. Please let me know if I'm on the right track of providing the info you need. Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:26 PM, on 2/14/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Windows folder: C:Windows
System folder: C:WindowsSYSTEM32
Hosts file: C:WindowsSystem32driversetchosts

Running processes:
C:Windowssystem32taskeng.exe
C:WindowsSYSTEM32WISPTIS.EXE
C:Program FilesCommon Filesmicrosoft sharedinkTabTip.exe
C:Program FilesWTouchWTouchUser.exe
C:Windowssystem32Dwm.exe
C:Program FilesIObitAdvanced SystemCare 3AWC.exe
C:WindowsExplorer.EXE
C:Windowssystem32taskeng.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WindowsRtHDVCpl.exe
C:WindowsSystem32igfxpers.exe
C:Program FilesCommon FilesPure Networks SharedPlatformnmctxth.exe
C:Program FilesIObitIObit Security 360is360tray.exe
C:Program FilesCanonCanon IJ Network Scan UtilityCNMNSUT.exe
C:WindowsSystem32hkcmd.exe
C:Program FilesCanonMyPrinterBJMYPRT.EXE
C:Program FilesAdobeAcrobat 7.0Distillracrotray.exe
C:Program FilesiTunesiTunesHelper.exe
C:Windowsehomeehtray.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe
C:Program FilesLogitechSetPointSetPoint.exe
C:UsersownerAppDataRoamingDropboxbinDropbox.exe
C:Windowssystem32WTabletPen_TabletUser.exe
C:PROGRA~1JeticoBCWipeBCResident.exe
C:Windowsehomeehmsas.exe
C:Program FilesCommon FilesLogishrdKHAL2KHALMNPR.EXE
C:Program FilesCommon FilesMicrosoft SharedInkInputPersonalization.exe
C:Windowssystem32wbemunsecapp.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Windowssystem32igfxsrvc.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.teamtulsa.com/weather
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =

http://www.toshibadirect.com/dpdstart
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?

LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = blank.htm
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - MRI_DISABLED - (no file)
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 - HKLM..Run: [TPwrMain] %ProgramFiles%TOSHIBAPower SaverTPwrMain.EXE
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exeC:Program

FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [SmoothView] %ProgramFiles%ToshibaSmoothViewSmoothView.exe
O4 - HKLM..Run: [RtHDVCpl] RtHDVCpl.exe (filesize 4472832 bytes, MD5

EFE2BF8C7BCCA92A4FBD2049F81D1EA0)
O4 - HKLM..Run: [Persistence] C:Windowssystem32igfxpers.exeC:Windowssystem32

igfxpers.exe
O4 - HKLM..Run: [nmctxth] "C:Program FilesCommon FilesPure Networks

SharedPlatformnmctxth.exe" (filesize 647216 bytes, MD5

73BFDC88C6EF9715CDF57134A438837A)
O4 - HKLM..Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE (filesize 55824 bytes,

MD5 E42A642E162B0468B2C4E9D803079C7F)
O4 - HKLM..Run: [IObit Security 360] "C:Program FilesIObitIObit Security 360IS360tray.exe"

/autostart (filesize 1280272 bytes, MD5 C93588533C1D89F20BE913759F6837D5)
O4 - HKLM..Run: [IJNetworkScanUtility] C:Program FilesCanonCanon IJ Network Scan

UtilityCNMNSUT.exeC:Program FilesCanonCanon IJ Network Scan UtilityCNMNSUT.exe
O4 - HKLM..Run: [IgfxTray] C:Windowssystem32igfxtray.exeC:Windowssystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:Windowssystem32hkcmd.exeC:Windowssystem32

hkcmd.exe
O4 - HKLM..Run: [CanonSolutionMenu] C:Program FilesCanonSolutionMenuCNSLMAIN.exe

/logon (filesize 767312 bytes, MD5 223AD0CA4092AEFFE0D0DE25502A3DB6)
O4 - HKLM..Run: [CanonMyPrinter] C:Program FilesCanonMyPrinterBJMyPrt.exe /logon (filesize

1983816 bytes, MD5 6681780074ADAADECF0CE500C446D464)
O4 - HKLM..Run: [BCWipeTM Startup] "C:Program FilesJeticoBCWipeBCWipeTM.exe" startup

(filesize 992568 bytes, MD5 BC301B3BB2F51E3793FC9F5FA0DB59A8)
O4 - HKLM..Run: [Acrobat Assistant 7.0] "C:Program FilesAdobeAcrobat 7.0DistillrAcrotray.exe"

(filesize 483328 bytes, MD5 B985665B63E92D8DF8859EAE21E7B52F)
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime (filesize

417792 bytes, MD5 55D7A219AD8D0DB8980528944152A6FD)
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe" (filesize 141608 bytes,

MD5 8DC7685764B22DB97891012026FA7ED1)
O4 - HKCU..Run: [ehTray.exe] C:WindowsehomeehTray.exeC:WindowsehomeehTray.exe
O4 - HKCU..Run: [ISUSPM] "C:Program FilesCommon

FilesInstallShieldUpdateServiceISUSPM.exe" -scheduler (filesize 206112 bytes, MD5

6DA7C93AB37B4A204BFCAE9FA07FF48D)
O4 - HKCU..RunOnce: [FlashPlayerUpdate] C:Windowssystem32

MacromedFlashNPSWF32_FlashUtil.exe -p (filesize 257440 bytes, MD5

FE3546DE670045DB99AF060065FB5BD8)
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem

(User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe

oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem

(User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = C:UsersownerAppDataRoamingDropboxbinDropbox.exe (filesize

26805255 bytes, MD5 B67731E75B844A0CDF7DA7B34F177CD7)
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program

FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program

FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program

FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program

FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat

7.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program

FilesAdobeAcrobat 7.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 7.0

AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:Program FilesAdobeAcrobat 7.0

AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program

FilesJavajre1.6.0binssv.dll (filesize 501384 bytes, MD5

C647547F1BB66FA0BE237CAFC49EA5F9)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:Program FilesJavajre1.6.0binssv.dll (filesize 501384 bytes, MD5

C647547F1BB66FA0BE237CAFC49EA5F9)
O13 - Gopher Prefix:
O17 - HKLMSystemCCSServicesTcpip..{25312263-672D-4774-9BB2-5CDFCA1D3055}:

NameServer = 94.75.220.3 94.75.220.1
O17 - HKLMSystemCS1ServicesTcpip..{25312263-672D-4774-9BB2-5CDFCA1D3055}:

NameServer = 94.75.220.3 94.75.220.1
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems

SharedServiceAdobelmsvc.exeC:Program FilesCommon FilesAdobe Systems

SharedServiceAdobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile

Device SupportbinAppleMobileDeviceService.exeC:Program FilesCommon FilesAppleMobile

Device SupportbinAppleMobileDeviceService.exe
O23 - Service: BCWipe service (BCWipeSvc) - Jetico, Inc. - C:Program

FilesJeticoBCWipeBCWipeSvc.exeC:Program FilesJeticoBCWipeBCWipeSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program

FilesBonjourmDNSResponder.exeC:Program FilesBonjourmDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:Program

FilesTOSHIBAConfigFreeCFSvcs.exeC:Program FilesTOSHIBAConfigFreeCFSvcs.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:Program

FilesIntelWirelessBinEvtEng.exeC:Program FilesIntelWirelessBinEvtEng.exe
O23 - Service: Google Update Service (gupdate1ca45c9a12b016b) (gupdate1ca45c9a12b016b) -

Google Inc. - C:Program FilesGoogleUpdateGoogleUpdate.exeC:Program

FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program

FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exeC:Program FilesCommon

FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown

owner - C:Program FilesCanonIJPLMIJPLMSVC.EXEC:Program

FilesCanonIJPLMIJPLMSVC.EXE
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:Program

FilesioloCommonLibioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:Program

FilesioloCommonLibioloServiceManager.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exeC:Program

FilesiPodbiniPodService.exe
O23 - Service: IS360service - IObit - C:Program FilesIObitIObit Security 360IS360srv.exeC:Program

FilesIObitIObit Security 360IS360srv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:Program FilesCommon

FilesLogishrdBluetoothLBTServ.exeC:Program FilesCommon

FilesLogishrdBluetoothLBTServ.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:Program

FilesCommon FilesPure Networks SharedPlatformnmsrvc.exeC:Program FilesCommon FilesPure

Networks SharedPlatformnmsrvc.exe
O23 - Service: pinger - Unknown owner -

C:ToshibaIVPISMpinger.exeC:ToshibaIVPISMpinger.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:Program

FilesIntelWirelessBinRegSrvc.exeC:Program FilesIntelWirelessBinRegSrvc.exe
O23 - Service: Swupdtmr - Unknown owner -

c:ToshibaIVPswupdateswupdtmr.exec:ToshibaIVPswupdateswupdtmr.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:Windowssystem32

Pen_Tablet.exeC:Windowssystem32Pen_Tablet.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:Windowssystem32

ThpSrv.exeC:Windowssystem32ThpSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:Program

FilesToshibaPower SaverTosCoSrv.exeC:Program FilesToshibaPower SaverTosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:Program

FilesToshibaBluetooth Toshiba StackTosBtSrv.exeC:Program FilesToshibaBluetooth Toshiba

StackTosBtSrv.exe
O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - C:Program

FilesWTouchWTouchService.exeC:Program FilesWTouchWTouchService.exe

--
End of file - 11950 bytes

Edited by Pandy, 20 February 2010 - 04:33 PM.
Reply merged to make 0 replies ~Pandy


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:39 PM

Posted 20 February 2010 - 07:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:39 PM

Posted 25 February 2010 - 07:35 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users