Results 1 to 2 of 2

Thread: Trojan's on work computer

  1. #1
    Junior Member
    Join Date
    Oct 2011
    Posts
    2

    Default Trojan's on work computer

    Tuesday we noticed our internet had slowed extremely down and we know we got a trojan. We definitely know we have a google redirect trojan (making anything we search redirect to a random website). And I'm sure there are quite a few. Here is the dds log.


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Chris Starkey at 8:54:03 on 2011-10-06
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.300 [GMT -4:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\StudioLine Photo Basic\NMSAccess32.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Program Files\TeamViewer\Version5\TeamViewer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\lgbpd.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Car-Part Messaging\CPM.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\car-part\CPKeySrv.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Hotlines\WinReceiver.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\Chris Starkey\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Chris Starkey\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Chris Starkey\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Hotlines\WinReceiver_Updater.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:59333
    uWinlogon: Shell=explorer.exe,
    uWindows: Load=c:\docume~1\chriss~1\LOCALS~1
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: {474597C5-AB09-49d6-A4D5-2E8D7341384E} - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {9da438a8-db0c-4606-9171-40bb5e927ebd} - c:\windows\system32\DNSAPIp.dll
    BHO: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {A58686ED-FC46-44C3-95C6-4A812AB776F1} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {65742936-8079-408B-9F3C-874B78030A72} - No File
    uRun: [LGBLiveUpdate] c:\windows\system32\lgbpd.exe
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [CPM] "c:\program files\car-part messaging\CPM.EXE"
    uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
    uRun: [Google Update] "c:\documents and settings\chris starkey\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [HotlinesSalvage] "c:\program files\westport research\hotlines\salvage.exe"
    mRun: [BCMSMMSG] BCMSMMSG.exe
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [volmgr] %APPDATA%\volmgr.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [conhost] c:\documents and settings\chris starkey\application data\microsoft\conhost.exe
    mRunOnce: [AvgUninstallURL] cmd.exe /c start

    http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OUFWRlJFRS1WWllGOC1DSzdRRy05VUJVUi03U1VMUy00NEtSMi1GS1NV"&"inst=NzctNTQwNzU0MTI3LUJBKzEtS1YzKzctVD

    EtVUNBTEwrMS1VQ0FMTDIrMi1UQjgrMi1GTCs4LUY4TTExQysxLVVQRysyMDExLUZMMTArMS1MSUMrOS1DSVArMg"&"prod=90"&"ver=10.0.1204
    mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
    mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRun: [poJSJfghGjFLx.exe] c:\documents and settings\all users\application data\poJSJfghGjFLx.exe
    dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
    StartupFolder: c:\docume~1\chriss~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\chriss~1\startm~1\programs\startup\pwsche32.lnk - c:\program files\symantec\procomm plus\programs\PWSCHE32.EXE
    StartupFolder: c:\docume~1\chriss~1\startm~1\programs\startup\shortc~1.lnk - c:\hotlines\WinReceiver.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\car-pa~1.lnk - c:\car-part\CPKeySrv.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upsonl~1.lnk - c:\ups\uows\PldReminder.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    LSP: mswsock.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
    DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: Interfaces\{7C4F631A-BD87-4E7E-B4C6-B1E41E7CB2A4} : NameServer = 170.215.184.3,74.40.37.242
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
    Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} -
    WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
    AppInit_DLLs: c:\progra~1\imesha~1\mediabar\datamngr\datamngr.dll c:\progra~1\imesha~1\mediabar\datamngr\IEBHO.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
    Hosts: 95.64.61.131 www.google.com
    Hosts: 95.64.61.132 www.bing.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\chris starkey\application data\mozilla\firefox\profiles\g9b5rfo5.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://rascotruckparts.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/?d=4d52b922&i=23&tp=ab&nt=1&q=
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 59333
    FF - prefs.js: network.proxy.type - 1
    FF - component: c:\documents and settings\chris starkey\application

    data\mozilla\firefox\profiles\g9b5rfo5.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
    FF - plugin: c:\documents and settings\chris starkey\application data\mozilla\plugins\np-mswmp.dll
    FF - plugin: c:\documents and settings\chris starkey\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
    FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R0 ardvimpz;ardvimpz;c:\windows\system32\drivers\qkkvyuvb.dat --> c:\windows\system32\drivers\qkkvyuvb.dat [?]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-24 201320]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-18 14336]
    R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-1-12 2025336]
    S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myagtsvc.exe /servicestart --> c:\program

    files\mcafee\managed virusscan\agent\myAgtSvc.exe [?]
    S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2009-3-24 79304]
    S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2009-3-24 35240]
    S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2009-3-24 33832]
    .
    =============== Created Last 30 ================
    .
    2011-10-05 14:36:43 182272 ----a-w- c:\documents and settings\chris starkey\application data\conhost.exe
    2011-10-05 14:36:15 186880 ----a-w- c:\windows\system32\lvvm.exe
    2011-10-05 14:35:48 177664 ----a-w- c:\documents and settings\chris starkey\application data\microsoft\csrss.exe
    2011-10-05 12:32:16 7269712 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition

    updates\updates\mpengine.dll
    2011-10-04 19:47:53 182272 ----a-w- c:\documents and settings\chris starkey\application data\dwm.exe
    2011-10-03 14:53:41 -------- d-----w- c:\windows\$BLSTUN$
    2011-10-03 14:53:22 505856 ----a-w- c:\documents and settings\all users\application data\poJSJfghGjFLx.exe
    2011-10-03 13:41:21 181760 ----a-w- c:\program files\windows nt\dwm.exe
    2011-10-03 13:33:19 161280 ----a-w- c:\windows\system32\0.7881175952919637.exe
    2011-10-03 13:33:01 179712 ----a-w- c:\program files\internet explorer\conhost.exe
    2011-10-03 13:33:01 -------- d-----w- C:\Microsoft
    2011-10-03 13:32:29 179712 ----a-w- c:\windows\system32\0.6660133014122138.exe
    2011-10-03 13:17:49 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition

    updates\{33c51a7b-0c84-4977-81c5-b69628b9a24d}\offreg.dll
    2011-10-03 13:17:37 7269712 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition

    updates\{33c51a7b-0c84-4977-81c5-b69628b9a24d}\mpengine.dll
    2011-10-03 13:15:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-10-03 13:15:39 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    ==================== Find3M ====================
    .
    2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2008-04-22 17:40:58 774144 -c--a-w- c:\program files\RngInterstitial.dll
    2003-01-06 15:06:44 443576 -c--a-w- c:\program files\JunoSetup.exe
    .
    ============= FINISH: 8:56:10.50 ===============

    Appreciate the help!

    Quote Originally Posted by tashi
    Hello SilencedMatrix,

    "Trojan's on work computer"

    Post #5 in the forum sticky may have been missed. Please see Personal computers

    Best regards.
    Appreciate the response tashi, I have read all of that. By work computer I mean the computer I do my work on, not for a company.

  2. #2
    Junior Member
    Join Date
    Oct 2011
    Posts
    2

    Default

    This thread can be moved to archive or deleted, I just figured it out and fixed it.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •