TechSpot

Exploit Trojan Help

Inactive
By krotchbat
Mar 3, 2013
  1. Hey there,
    After trying to find a fix for a weird .dll error window at every bootup and some scanning unfortunately I've uncovered the Exploit Trojan within my system. After the scan there were 4 results:
    C:\Users\El\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\415a0b13-10e5a366 Java/Exploit.Agent.NGE trojan

    Java:CVE-2012-1723-AMH%20[Expl]
    Java.Downloader.80
    Exploit.CVE-2012-0507.an
    Exploit-FEF!FA45250D2ACB

    Any help is GREATLY appreciated. Thanks.

    Kbat
     
  2. Broni

    Broni Malware Annihilator Posts: 48,031   +271

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. krotchbat

    krotchbat TS Rookie Topic Starter

    Thanks for the reply and helpful instructions. I will respond momentarily thanks :D
     
  4. krotchbat

    krotchbat TS Rookie Topic Starter

    MBM Scan:
    Malwarebytes Anti-Malware (Trial) 1.70.0.1100
    www.malwarebytes.org
    Database version: v2013.03.03.10
    Windows Vista x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18882
    Ron :: Ron-PC [administrator]
    Protection: Disabled
    03/03/2013 5:19:48 PM
    mbam-log-2013-03-03 (17-19-48).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 198259
    Time elapsed: 4 minute(s), 23 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
     
  5. krotchbat

    krotchbat TS Rookie Topic Starter

    Attach
    ==============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    .
    ==== Disk Partitions =========================
    .
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Shockwave Player 11
    Advanced Audio FX Engine
    Advanced Video FX Engine
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoStudio 5.5
    Bonjour
    Broadcom Management Programs
    Browser Address Error Redirector
    Canon G.726 WMP-Decoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon ScanGear Toolbox CS 2.2
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture DC
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    CanoScan LiDE 90
    CCleaner
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Compatibility Pack for the 2007 Office system
    Conexant HDA D330 MDC V.92 Modem
    Dell DataSafe Online
    Dell Getting Started Guide
    Dell Support Center
    Dell Touchpad
    Dell Webcam Center
    Dell Webcam Manager
    Dell Wireless WLAN Card
    Digital Line Detect
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Java(TM) SE Runtime Environment 6
    Laptop Integrated Webcam Driver (1.04.01.1011)
    Live! Cam Avatar Creator
    Live! Cam Avatar v1.0
    Malwarebytes Anti-Malware version 1.70.0.1100
    MediaDirect
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Office File Validation Add-In
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Modem Diagnostic Tool
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Music, Photos & Videos Launcher
    NetWaiting
    Norton Security Scan
    NVIDIA Drivers
    OutlookAddinSetup
    Product Documentation Launcher
    QuickSet
    QuickTime
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    ScanSoft OmniPage SE 4
    Security Update for CAPICOM (KB931906)
    Trend Micro PC-cillin Internet Security
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    User's Guides
    .
    ==== End Of File ===========================
    DDs
    ======
    DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
    Internet Explorer: 8.0.6001.18882
    Run by Eleanor at 17:29:22 on 2013-03-03
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uWindow Title = Internet Explorer provided by Dell
    uDefault_Page_URL = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=4080315
    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0\bin\ssv.dll
    BHO: {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - <orphaned>
    BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [lantc] "c:\windows\system32\rundll32.exe" "c:\users\eleanor\appdata\roaming\lantc.dll",set_rows
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.1; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://games.yahoo.com/game/daily-jigsaw-shockwave.html"
    mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
    mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
    mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [dscactivate] c:\program files\dell support center\gs_agent\custom\dsca.exe
    mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
    mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-ca.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-ca.cab
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{FFE9644A-BE09-4801-A070-449BE5593F54} : DHCPNameServer = 192.168.0.1
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    2013-03-03 22:17:57 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2013-03-03 22:17:53 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-03-03 22:17:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-03-03 20:34:46 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2013-03-03 20:34:46 77072 ----a-w- c:\windows\system32\ztvcabinet.dll
    2013-03-03 20:34:46 75264 ----a-w- c:\windows\system32\unacev2.dll
    2013-03-03 20:34:46 605968 ----a-w- c:\windows\system32\ztv7z.dll
    2013-03-03 20:34:46 185616 ----a-w- c:\windows\system32\ztvunrar39.dll
    2013-03-03 20:34:46 169744 ----a-w- c:\windows\system32\ztvunrar36.dll
    2013-03-03 20:34:46 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2013-03-03 20:34:45 -------- d-----w- c:\programdata\Simply Super Software
    2013-03-03 17:38:55 -------- d-----w- c:\program files\CCleaner
    2013-03-03 07:58:45 6954968 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fdfa2459-5093-4e1c-a93e-b93fc8a9b421}\mpengine.dll
    2013-03-03 01:57:15 -------- d-----w- c:\users\eleanor\appdata\roaming\Malwarebytes
    2013-03-03 01:57:08 -------- d-----w- c:\programdata\Malwarebytes
    2013-02-17 00:26:57 -------- d-----w- c:\programdata\B034A860F6E2A0070000B033F833A6AF
    2013-02-16 02:37:19 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-02-16 02:37:19 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    .
    ==================== Find3M ====================
    .
    2013-01-17 06:28:58 232336 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 17:30:16.20 ===============
     
  6. Broni

    Broni Malware Annihilator Posts: 48,031   +271

    Any particular reason why you ran all scans from safe mode?
     
  7. krotchbat

    krotchbat TS Rookie Topic Starter

    No. I was already in safe mode. Obviously just forgot to switch back. Would that really affect the outcome?
     
  8. Broni

    Broni Malware Annihilator Posts: 48,031   +271

    Yes. I need all logs from normal mode.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.