Results 1 to 10 of 16

Thread: I have several trojans, please help.

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Nov 2008
    Posts
    14

    Default I have several trojans, please help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:46:18 AM, on 3/13/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\skull\Desktop\HiJackThis\smartscanner.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uedit32.exe,C:\WINDOWS\system32\symstore.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1229559034382
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

    --
    End of file - 4236 bytes

  2. #2
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Nov 2008
    Posts
    14

    Default

    Hello,

    Thanks for getting back to me. Here are the logs you requested.


    DDS (Ver_09-02-01.01) - NTFSx86
    Run by skull at 13:51:40.94 on Sun 03/15/2009
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.204 [GMT -7:00]

    AV: McAfee VirusScan *On-access scanning enabled* (Updated)

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\skull\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

    ============= SERVICES / DRIVERS ===============

    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-12 213640]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-12 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\McShield.exe [2008-6-12 144704]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-12 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-12 79304]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-12 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-12 40552]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-12 34216]

    =============== Created Last 30 ================

    2009-03-12 22:54 116,224 a------- c:\windows\sed.exe
    2009-03-12 22:54 <DIR> --d----- C:\ComboFix
    2009-03-12 07:15 <DIR> --d----- c:\docume~1\skull\applic~1\Malwarebytes
    2009-03-12 07:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
    2009-03-12 07:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-12 07:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-03-12 07:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-03-12 06:59 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
    2009-03-12 06:56 6 a------- c:\windows\_id.dat
    2009-03-12 06:56 128 a------- c:\windows\adobe.bat
    2009-03-11 17:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
    2009-03-11 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2009-03-10 22:21 130,150 a------- c:\windows\system32\adx.exe

    ==================== Find3M ====================

    2009-03-14 21:33 182,656 a------- c:\windows\system32\drivers\ndis.sys
    2009-03-10 07:18 410,984 a------- c:\windows\system32\deploytk.dll
    2009-03-01 00:35 1,744 a------- c:\windows\system32\d3d9caps.dat
    2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
    2009-01-19 18:13 4,212 ----h--- c:\windows\system32\zllictbl.dat
    2009-01-01 13:20 1,632 a------- c:\windows\system32\d3d8caps.dat
    2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll
    2008-12-18 09:27 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

    ============= FINISH: 13:52:37.61 ===============




    ==== System Restore Points ===================

    RP1: 3/12/2009 10:03:19 PM - System Checkpoint
    RP2: 3/13/2009 9:36:20 PM - Software Distribution Service 3.0

    ==== Installed Programs ======================


    ==== Event Viewer Messages From Past Week ========

    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:38:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
    3/11/2009 8:38:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/11/2009 4:03:44 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
    3/11/2009 8:39:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec mfehidk MPFP MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip
    3/11/2009 9:16:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    3/12/2009 5:57:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips P3
    3/12/2009 7:52:37 AM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
    3/12/2009 9:47:01 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
    3/12/2009 3:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips mfehidk P3
    3/12/2009 9:54:24 PM, error: SRService [104] - The System Restore initialization process failed.
    3/12/2009 9:54:24 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    3/14/2009 8:06:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    3/13/2009 8:16:36 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
    3/13/2009 8:16:41 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.

    ==== End Of File ===========================

  4. #4
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    Please post contents of attach.txt file too
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Nov 2008
    Posts
    14

    Default

    Hello Again,

    Here is the attached.txt contents.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-02-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/12/2008 3:21:50 PM
    System Uptime: 3/15/2009 1:29:11 PM (0 hours ago)

    Motherboard: Intel Corporation | | D815EEA
    Processor: Intel Pentium III processor | J4L1 | 996/133mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 19 GiB total, 12.546 GiB free.
    D: is FIXED (NTFS) - 298 GiB total, 6.944 GiB free.
    E: is CDROM ()
    F: is CDROM (CDFS)
    G: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 3/12/2009 10:03:19 PM - System Checkpoint
    RP2: 3/13/2009 9:36:20 PM - Software Distribution Service 3.0

    ==== Installed Programs ======================


    ==== Event Viewer Messages From Past Week ========

    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:38:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
    3/11/2009 8:38:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/11/2009 4:03:44 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
    3/11/2009 8:39:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec mfehidk MPFP MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip
    3/11/2009 9:16:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    3/12/2009 5:57:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips P3
    3/12/2009 7:52:37 AM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
    3/12/2009 9:47:01 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
    3/12/2009 3:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips mfehidk P3
    3/12/2009 9:54:24 PM, error: SRService [104] - The System Restore initialization process failed.
    3/12/2009 9:54:24 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    3/14/2009 8:06:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    3/13/2009 8:16:36 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
    3/13/2009 8:16:41 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.

    ==== End Of File ===========================

  6. #6
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Do NOT run 'fixes' before helpers have analyzed HJT log

    Hi

    I noticed you've run ComboFix by yourself though it's not recommended. Post contents of ComboFix.txt file back here.
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •