Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: McAfee Tech Support Scam Harvesting Credit Card Information

Featured Deal: Get 95% Off the Certified Information Systems Security Professional Training Course

Help w/ Trojan variant.Hiloti

Started by ((Vibe)) , Oct 20 2010 10:58 AM

This topic is locked

2 replies to this topic

#1 ((Vibe))

Members
28 posts
OFFLINE

Local time:01:38 PM

Posted 20 October 2010 - 10:58 AM

Hello,

I could really use some help, I hope I am doing this right...My work computer has a virus on it, and to complicate matters further, my employer for some reason will not allow us to install any antivirus programs onto our computers (do not have admin rights).

I ran bit defender through firefox and the report is below. For some reason I was able to DL and use OTL to scan as well. (and can include any scan reports etc if it would be helpful)

Not sure how much can be done without being able to install any software or reformat, but after doing a search and reading some of the threads here I know if anyone can help me it's one of y'all. Any help would be greatly appreciated!

Thank you

QuickScan Beta 32-bit v0.9.9.41
-------------------------------
Scan date: Wed Oct 20 08:33:54 2010
Machine ID: 4831D48F

Found 3 infected files!
-----------------------

C:\Documents and Settings\myname\Local Settings\Application Data\csginbd.dll --> Trojan.TDSS.AGS
--> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Mnutur"
--> Process explorer.exe (1684)
--> Process rundll32.exe (3832)

C:\Documents and Settings\myname\Local Settings\Application Data\olukaqojo.dll --> Gen:Variant.Hiloti.4
--> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Jqajewomewomewom"
--> Process ctfmon.exe (3812)
--> Process explorer.exe (1684)
--> Process firefox.exe (2696)
--> Process msimn.exe (1924)
--> Process msmsgs.exe (3840)
--> Process rundll32.exe (3832)
--> Process soffice.bin (2312)

c:\windows\system\svchost.exe --> Trojan.Agent.AAEQ
--> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit"

Processes
---------
Firefox 2696 C:\Documents and Settings\All Users\Application Data\Mozilla Firefox\firefox.exe
Messenger 3840 C:\Program Files\Messenger\msmsgs.exe
Microsoft® Windows® Operating System 1924 C:\Program Files\Outlook Express\msimn.exe
Microsoft® Windows® Operating System 1684 C:\WINDOWS\explorer.exe
Microsoft® Windows® Operating System 3812 C:\WINDOWS\system32\ctfmon.exe
Microsoft® Windows® Operating System 3832 C:\WINDOWS\system32\rundll32.exe
OpenOffice.org 2.4 2312 C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
OpenOffice.org 2.4 2984 C:\Program Files\OpenOffice.org 2.4\program\soffice.exe

Network activity
----------------
Process firefox.exe (2696) connected on port 80 (HTTP) --> 74.125.227.49
Process firefox.exe (2696) connected on port 80 (HTTP) --> 74.125.227.49
Process firefox.exe (2696) connected on port 80 (HTTP) --> 74.125.227.49
Process firefox.exe (2696) connected on port 443 (HTTP over SSL) --> 74.125.227.49
Process firefox.exe (2696) connected on port 80 (HTTP) --> 74.125.227.49
Process firefox.exe (2696) connected on port 443 (HTTP over SSL) --> 74.125.227.55

Autoruns and critical files
---------------------------
Adobe Acrobat C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
Adobe Reader and Acrobat Manager C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
FrameDbl C:\Documents and Settings\myname\Local Settings\Application Data\csginbd.dll
Messenger C:\Program Files\Messenger\msmsgs.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
Microsoft® Windows® Operating System C:\WINDOWS\System32\dimsntfy.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\userinit.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
olukaqojo.dll C:\Documents and Settings\myname\Local Settings\Application Data\olukaqojo.dll
quickstart.exe C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
QuickTime C:\Program Files\QuickTime\qttask.exe
svchost.exe c:\windows\system\svchost.exe
Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll

Browser plugins
---------------
AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
BitDefender QuickScan C:\Documents and Settings\myname\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
BitDefender QuickScan C:\Documents and Settings\myname\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
Download PDF Files C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
getPlusPlus for Adobe 16263 C:\Documents and Settings\myname\Application Data\Mozilla\Firefox\Profiles\dz3gik1t.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
Java™ Platform SE 6 U11 c:\program files\java\jre6\bin\jp2ssv.dll
Java™ Platform SE 6 U11 c:\program files\java\jre6\bin\ssv.dll
Java™ Platform SE 6 U11 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Messenger C:\Program Files\Messenger\msmsgs.exe
Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
QuickTime Plug-in 7.6.4 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
Silverlight Plug-In c:\Program Files\Microsoft Silverlight\3.0.40818.0\npctrl.dll
Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll

Missing files
-------------
File not found: C:\WINDOWS\System32\appmgmts.dll
--> HKLM\System\ControlSet001\services\AppMgmt\Parameters\"ServiceDll"

File not found: C:\WINDOWS\System32\hidserv.dll
--> HKLM\System\ControlSet001\services\HidServ\Parameters\"ServiceDll"

Scan
----

The following file(s) must be uploaded for server-side scanning:
C:\Documents and Settings\myname\Local Settings\Application Data\olukaqojo.dll

Upload started - 1 file(s)
olukaqojo.dll (199168)
Upload speed - 13 KB/s
Upload finished - 1 uploaded, 0 failed

Scan finished - communication took 16 sec
Total traffic - 0.21 MB sent, 0.86 KB recvd
Scanned 610 files and modules - 53 seconds

==============================================================================

Edited by Budapest, 20 October 2010 - 06:24 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Orange Blossom

OBleepin Investigator

Moderator
37,011 posts
ONLINE

Gender:Not Telling
Location:Bloomington, IN
Local time:03:38 PM

Posted 21 October 2010 - 11:36 PM

Hello,

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :thumbsup:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

Back to top

#3 Orange Blossom

OBleepin Investigator

Moderator
37,011 posts
ONLINE

Gender:Not Telling
Location:Bloomington, IN
Local time:03:38 PM

Posted 09 January 2011 - 12:15 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic371396.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry: