Results 1 to 3 of 3

Thread: Trojan Proscks infection

  1. #1
    Junior Member
    Join Date
    Aug 2008
    Posts
    1

    Default Trojan Proscks infection

    I am having all sorts of events. CA Anti-Virus and Spybot S&D are busy displaying operations they are performing on my CPU's behalf. How do I clean this machine?

    Thanks.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:42:53 PM, on 8/12/2008
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\AFinding.exe
    D:\Program Files\eTrust EZ Antivirus\ISafe.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\macidwe.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\perfs.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\routing.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\sobicyt.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\tdxdowkc.exe
    D:\Program Files\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    D:\Program Files\eTrust EZ Antivirus\CAVRID.exe
    C:\WINNT\system32\hphmon06.exe
    C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINNT\system32\ctfmon.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O1 - Hosts: 64.14.244.60 debtbankonline.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar8.dll
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar8.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb11.exe
    O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Helios] D:\Program Files\Helios Logger\helios_logger.exe
    O4 - HKUS\S-1-5-21-2025429265-113007714-854245398-1000\..\Run: [ctfmon.exe] ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-2025429265-113007714-854245398-1000\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
    O4 - HKUS\S-1-5-21-2025429265-113007714-854245398-1000\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
    O4 - HKUS\S-1-5-21-2025429265-113007714-854245398-1000\..\Run: [Helios] D:\Program Files\Helios Logger\helios_logger.exe (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] F:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O15 - Trusted Zone: www.abcnews.com
    O15 - Trusted Zone: http://www.airamericaradio.com
    O15 - Trusted Zone: http://www.allmusic.com
    O15 - Trusted Zone: http://www.americanexpress.com
    O15 - Trusted Zone: http://www.americawest.com
    O15 - Trusted Zone: http://www.auto.com
    O15 - Trusted Zone: www.axaonline.com
    O15 - Trusted Zone: http://www.byc.com
    O15 - Trusted Zone: http://www.c-span.org
    O15 - Trusted Zone: http://consumerdownloads.ca.com
    O15 - Trusted Zone: http://www.ca.com
    O15 - Trusted Zone: *.ca.com
    O15 - Trusted Zone: http://www.census.gov
    O15 - Trusted Zone: www.chase.com
    O15 - Trusted Zone: http://www.chaseshop.com
    O15 - Trusted Zone: http://www.citizensinsurance.biz
    O15 - Trusted Zone: www.comcast.com
    O15 - Trusted Zone: webbanking.comerica.com
    O15 - Trusted Zone: *.comerica.com
    O15 - Trusted Zone: http://portal.covisint.com
    O15 - Trusted Zone: www.cspan.org
    O15 - Trusted Zone: http://www.dailykos.com
    O15 - Trusted Zone: http://support.dell.com
    O15 - Trusted Zone: www.dell.com
    O15 - Trusted Zone: http://www.dell.com
    O15 - Trusted Zone: www.delta.com
    O15 - Trusted Zone: http://www.delta.com
    O15 - Trusted Zone: http://www.earthlink.net
    O15 - Trusted Zone: http://www.flexiblebenefit.com
    O15 - Trusted Zone: http://www.flexmsa.com
    O15 - Trusted Zone: http://everest.dearborn.ford.com
    O15 - Trusted Zone: supplier-lb.everest.ford.com
    O15 - Trusted Zone: http://www.quality.ford.com
    O15 - Trusted Zone: www.freep.com
    O15 - Trusted Zone: www.abcnews.go.com
    O15 - Trusted Zone: http://www.abcnews.go.com
    O15 - Trusted Zone: http://www.grandchallenge.com
    O15 - Trusted Zone: http://multimedia.honda-eu.com
    O15 - Trusted Zone: http://www.honda.co.uk
    O15 - Trusted Zone: www.hotwire.com
    O15 - Trusted Zone: http://www.houseandgarden.com
    O15 - Trusted Zone: http://h10025.www1.hp.com
    O15 - Trusted Zone: www.hsabank.com
    O15 - Trusted Zone: http://spaces.icgpartners.com
    O15 - Trusted Zone: http://reg.imageshack.us
    O15 - Trusted Zone: http://www.imageshack.us
    O15 - Trusted Zone: http://www.imgag.com
    O15 - Trusted Zone: www.intellicast.com
    O15 - Trusted Zone: http://www.intellicast.com
    O15 - Trusted Zone: www.joann.com
    O15 - Trusted Zone: www.johnkerry.com
    O15 - Trusted Zone: http://security.kolla.de
    O15 - Trusted Zone: http://tln.lib.mi.us
    O15 - Trusted Zone: http://web2.tln.lib.mi.us
    O15 - Trusted Zone: http://www.macromedia.com
    O15 - Trusted Zone: http://www.mapquest.com
    O15 - Trusted Zone: http://www.metaldyne.com
    O15 - Trusted Zone: www.metroairport.com
    O15 - Trusted Zone: http://www.mi-democrats.com
    O15 - Trusted Zone: www.michaelcurry design.com
    O15 - Trusted Zone: www.michaelcurrydesign.com
    O15 - Trusted Zone: http://www.michaelcurrydesign.com
    O15 - Trusted Zone: http://www.michiganradio.org
    O15 - Trusted Zone: http://info.my-etrust.com
    O15 - Trusted Zone: www.my-etrust.com
    O15 - Trusted Zone: http://www.newcranbrooksingers.org
    O15 - Trusted Zone: www.npr.org
    O15 - Trusted Zone: http://res.nwa.com
    O15 - Trusted Zone: www.nwa.com
    O15 - Trusted Zone: http://www.nwa.com
    O15 - Trusted Zone: http://www.nytimes.com
    O15 - Trusted Zone: www.ofoto.com
    O15 - Trusted Zone: http://www.perfectosdragones.com
    O15 - Trusted Zone: www.pmi.org
    O15 - Trusted Zone: *.real.com
    O15 - Trusted Zone: http://ilead.realtor.com
    O15 - Trusted Zone: www.safer-networking.org
    O15 - Trusted Zone: http://atomfilms.shockwave.com
    O15 - Trusted Zone: http://www.starbucks.com
    O15 - Trusted Zone: www.treas.state.mi.us
    O15 - Trusted Zone: http://www.sun.com
    O15 - Trusted Zone: http://weeklyad.target.com
    O15 - Trusted Zone: dps1.travelocity.com
    O15 - Trusted Zone: www.travelocity.com
    O15 - Trusted Zone: http://www.travelocity.com
    O15 - Trusted Zone: http://www.tvguide.com
    O15 - Trusted Zone: ummedia02.rs.itd.umich.edu
    O15 - Trusted Zone: http://www.universalcard.com
    O15 - Trusted Zone: http://aiw1.uspto.gov
    O15 - Trusted Zone: http://aiw2.uspto.gov
    O15 - Trusted Zone: http://appft1.uspto.gov
    O15 - Trusted Zone: http://patft.uspto.gov
    O15 - Trusted Zone: http://patimg2.uspto.gov
    O15 - Trusted Zone: http://www.visualtour.com
    O15 - Trusted Zone: www.voguepatterns.com
    O15 - Trusted Zone: http://lists.votecobb.org
    O15 - Trusted Zone: www.wamu.org
    O15 - Trusted Zone: http://www.washingtonpost.com
    O15 - Trusted Zone: http://www.whitehouse.gov
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1126976088096
    O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2C16FB97-1F9D-423F-A623-F6171DA8600F}: NameServer = 68.94.156.1,68.94.157.1
    O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINNT\system32\AFinding.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - D:\Program Files\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Diskeeper\DKService.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINNT\system32\macidwe.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINNT\system32\perfs.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: routing Service (routing) - Unknown owner - C:\WINNT\system32\routing.exe
    O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINNT\system32\sobicyt.exe
    O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINNT\system32\tdxdowkc.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - D:\Program Files\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINNT\system32\WServing.exe (file missing)

    --
    End of file - 13296 bytes

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi freija

    you have several nasty processes running as services. they are backdoor trojans. you should download and run sdfix ASAP. link and directions:

    Download SDFix and save it to your Desktop.

    http://downloads.andymanchesta.com/R...ools/SDFix.exe


    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :

    * Restart your computer
    * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, the Advanced Options Menu should appear;
    * Select the first option, to run Windows in Safe Mode, then press Enter.
    * Choose your usual account.

    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    * Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

    post the sdfix log and a new hjt log
    How Can I Reduce My Risk?

  3. #3
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi freija,

    have you run SDfix yet?
    How Can I Reduce My Risk?

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •