Jump to content

:filtered: trojans !


Recommended Posts

Hi all.

I have unfortunatly been infected with a couple of trojans. One was trojanspy:\win32/VBStat.E. The other appears to have been Trojan Juan or Vundo !!! Even though at the time I was running Windows One Care ( I have now deleted and gone back to AVG). I have run various spyware programs and they have found various malware etc. But none have got rid of it. Ad aware seems to have got rid of the trojans but I still get rogue web pages opening up whilst I'm on line and Ad aware seems to always pick up 10 critical objects and removes them. I now have windows defender running permenantly and a spyware program called Counterspy running but still rogue sites load up. AVG dosnt detect any threats. I've load Hijack This and attached log file as people seem to do. Am I missing a trick somewhere?????

I hope someone can help

Thanks hopefully Gary

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 6:30:35 PM, on 12/04/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\GtDetectSc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Gary & Mich\Local Settings\Temporary Internet Files\Content.IE5\RVD3ZP6Q\HiJackThis_v2[1].exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\bwkfrtwp.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {84AC5F1C-FAE2-4A9A-9952-27365E9D33DF} - C:\WINDOWS\system32\sstqn.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: (no name) - {D15EFFBE-61EE-480B-9507-25264732DE0F} - C:\WINDOWS\system32\urqnmlk.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=0

O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [soundService] rundll32.exe "C:\WINDOWS\system32\wxgdmhdc.dll",setvm

O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [sBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"

O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

O4 - HKCU\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk846LDAU

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gazaroogaryyoungman.spaces.live.com...ad/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174984518416

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159359276984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...003/mcfscan.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{32345A5B-5197-4FAA-BD68-3A241230F360}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{326C13FD-7C1A-4855-9113-F8DA51F5F93B}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{53D0FB29-9332-4F6B-A28C-9B7BA03554CC}: Domain = qld.bigpond.net.au

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll (file missing)

O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)

O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll

O20 - Winlogon Notify: urqnmlk - C:\WINDOWS\SYSTEM32\urqnmlk.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe

O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

--

End of file - 12421 bytes

Link to post
Share on other sites

Hi Gary,

It's showing in your log with a couple of other items bundled along with Vundo infection.

What you need to do from here......

Copy and paste this log or run another log scan and post a new thread in this HJT forum

 

 

Help with HJT logs

 

 

Also The version of HijackThis you are running is Beta, a product that is normally in its final stages of testing.

Often, a Beta version of a product may contain minor bugs and glitches, so let’s work with final version HijackThis 1.99.1 instead.

 

Use Control Panel > Add/Remove Programs to remove HijackThis v2.

Then, do a search and also delete any Folders or Files the program created.

 

Click here to download HJTsetup.exe

  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Please post the results of your HJT log in the dedicated HJT forum listed above.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Edited by Juliet
Link to post
Share on other sites

Hi Juliet,

Many thanks for that, will do as you say asap. I've had a pig of a time this weekend with this.

Cheers

Gary

 

 

Hi Gary,

It's showing in your log with a couple of other items bundled along with Vundo infection.

What you need to do from here......

Copy and paste this log or run another log scan and post a new thread in this HJT forum

Help with HJT logs

Also The version of HijackThis you are running is Beta, a product that is normally in its final stages of testing.

Often, a Beta version of a product may contain minor bugs and glitches, so let’s work with final version HijackThis 1.99.1 instead.

 

Use Control Panel > Add/Remove Programs to remove HijackThis v2.

Then, do a search and also delete any Folders or Files the program created.

 

Click here to download HJTsetup.exe

  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Please post the results of your HJT log in the dedicated HJT forum listed above.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...