also @ TechSpot: Exploit allows command prompt to launch at Windows 7 login screen

TechSpot

[Solved] Trojan found, help~!

Discussion in 'Virus and Malware Removal' started by WonderGirls, Nov 17, 2010.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. Broni Malware Annihilator

    Hold on, please...
    Broni, Nov 18, 2010
    #21

  2. Broni Malware Annihilator

    Broni, Nov 18, 2010
    #22

  3. WonderGirls Newcomer, in training

    WonderGirls, Nov 18, 2010
    #23

  4. Broni Malware Annihilator

    OK :)..................
    Broni, Nov 18, 2010
    #24

  5. WonderGirls Newcomer, in training

    ESET won't run, every time I try running it on IE, it freezes then restarts IE. Any other ways?
    WonderGirls, Nov 18, 2010
    #25

  6. Broni Malware Annihilator

    Please run a BitDefender Online Scan

    • Disable your antivirus program.
    • Click Start Scanner button.
    • Click Start scan button
    • Allow browser plug-in to be installed when prompted.
    • Click I Agree to agree to the EULA.
    • Please refrain from using the computer until the scan is finished.
    • When the scan is finished, click on View log.
    • Notepad will open with scan results.
    • Save the report to your desktop and post its content in your next reply.
    Broni, Nov 18, 2010
    #26

  7. WonderGirls Newcomer, in training

    QuickScan Beta 32-bit v0.9.9.51
    -------------------------------
    Scan date: Wed Nov 17 22:56:47 2010
    Machine ID: 5467B4C0

    C:\Program Files (x86)\Skype\\Phone\Skype.exe - could not be accessed


    No infection found.
    -------------------



    Processes
    ---------
    ButtonMonitor 3868 C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
    Creative Multimedia Driver 3924 C:\Windows\CNYHKey.exe
    CyberLink MediaLibray Service 3960 C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
    Google Chrome 312 C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
    Google Chrome 524 C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
    Google Chrome 2976 C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
    Google Chrome 3116 C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
    Google Chrome 3884 C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
    Google Chrome 4408 C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
    Google Chrome 5100 C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
    Google Chrome 5160 C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
    Google Chrome 5308 C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
    Google Desktop 4008 C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
    GoogleToolbarNotifier 3508 C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    Hotkey Driver 4256 C:\Windows\ModLEDKey.exe
    iTunes 3588 C:\Program Files (x86)\iTunes\iTunesHelper.exe
    Java(TM) Platform SE Auto Updater 2 0 4036 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    Microsoft® Windows® Operating System 4080 C:\Windows\SysWOW64\conime.exe
    Windows Live Communications Platform 3956 C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
    Windows Live Messenger 3536 C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe


    Network activity
    ----------------
    Process chrome.exe (524) connected on port 443 (HTTP over SSL) --> 74.125.155.95
    Process chrome.exe (524) connected on port 443 (HTTP over SSL) --> 184.85.85.186
    Process chrome.exe (524) connected on port 443 (HTTP over SSL) --> 74.125.155.132
    Process msnmsgr.exe (3536) connected on port 1863 (MSN) --> 64.4.44.42
    Process msnmsgr.exe (3536) connected on port 58845 --> 125.60.240.201
    Process msnmsgr.exe (3536) connected on port 60224 --> 67.166.84.117
    Process msnmsgr.exe (3536) connected on port 45003 --> 173.73.178.104



    Autoruns and critical files
    ---------------------------
    Adobe Acrobat C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
    Adobe Reader and Acrobat Manager C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    ButtonMonitor C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
    Catalyst® Control Center C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    Creative Multimedia Driver C:\Windows\CNYHKey.exe
    CyberLink MediaLibray Service C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
    Google Desktop C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
    Google Desktop c:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktopNetwork3.dll
    Google Update C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe
    GoogleToolbarNotifier C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    iTunes C:\Program Files (x86)\iTunes\iTunesHelper.exe
    Java(TM) Platform SE Auto Updater 2 0 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    LchDrvKey.exe C:\Windows\LchDrvKey.exe
    Microsoft® Windows® Operating System C:\Program Files\Windows Media Player\WMPNSCFG.exe
    Microsoft® Windows® Operating System C:\Windows\ehome\ehTray.exe
    Microsoft® Windows® Operating System c:\windows\system32\browseui.dll
    Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
    QuickTime C:\Program Files (x86)\QuickTime\QTTask.exe
    Rainmeter C:\Program Files\Rainmeter\Rainmeter.exe
    Windows Live Messenger C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    Windows® Internet Explorer c:\windows\syswow64\webcheck.dll


    Browser plugins
    ---------------
    AcroIEHelperShim Library c:\program files (x86)\common files\adobe\acrobat\activex\acroiehelpershim.dll
    Adobe Acrobat C:\Program Files (x86)\Internet Explorer\plugins\nppdf32.dll
    Adobe Acrobat C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    BitDefender QuickScan C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie\0.9.9.51_0\npqscan.dll
    BitDefender QuickScan C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie\0.9.9.51_0\npqslauncher.dll
    Bonjour C:\Program Files (x86)\Bonjour\mdnsNSP.dll
    flashget FlashgetXpi C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\n2pj7jf4.default\extensions\{DB9127A2-3381-41ec-82B3-1B6ED4C6F29A}\components\FlashGetXPI.dll
    Google Toolbar for Internet Explorer c:\program files (x86)\google\google toolbar\googletoolbar_32.dll
    Google Update C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    Google Update C:\Users\Chris\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    GoogleToolbarNotifier C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
    InstallShield Update Service C:\Windows\Downloaded Program Files\dwusplay.dll
    InstallShield Update Service C:\Windows\Downloaded Program Files\dwusplay.exe
    InstallShield Update Service C:\Windows\Downloaded Program Files\isusweb.dll
    Java Deployment Toolkit 6.0.220.4 C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    Java(TM) Platform SE 6 U22 c:\program files (x86)\java\jre6\bin\jp2ssv.dll
    Java(TM) Platform SE 6 U22 C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
    LogMeIn Rescue Applet Downloader C:\Windows\Downloaded Program Files\RescueDlBroker.exe
    LogMeIn Rescue Applet Downloader C:\Windows\Downloaded Program Files\RescueDownloader.dll
    Microsoft Office 2010 C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL
    Microsoft Office 2010 C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL
    Microsoft Office 2010 c:\program files (x86)\microsoft office\office14\urlredir.dll
    Microsoft Office WRC Control C:\Windows\Downloaded Program Files\wrc32.ocx
    Microsoft® Windows Live Login Helper c:\program files (x86)\common files\microsoft shared\windows live\windowslivelogin.dll
    Microsoft® Windows Media Player Firefox C:\Program Files (x86)\Mozilla Firefox\plugins\np-mswmp.dll
    Microsoft® Windows® Operating System C:\Windows\System32\mswsock.dll
    Microsoft® Windows® Operating System C:\Windows\system32\napinsp.dll
    Microsoft® Windows® Operating System C:\Windows\system32\NLAapi.dll
    Microsoft® Windows® Operating System C:\Windows\system32\pnrpnsp.dll
    Microsoft® Windows® Operating System C:\Windows\System32\winrnr.dll
    Mozilla Default Plug-in C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll
    MSN® Games by Zone.com C:\Windows\Downloaded Program Files\MessengerStatsPAClient.dll
    Nexon Game Controller C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
    npitunes.dll C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
    NPSWF32.dll C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin2.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin3.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin4.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin5.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin6.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin7.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
    QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
    Silverlight Plug-In c:\Program Files (x86)\Microsoft Silverlight\4.0.50917.0\npctrl.dll
    Windows Presentation Foundation c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    Windows® Internet Explorer C:\Windows\SysWOW64\ieframe.dll


    Missing files
    -------------
    File not found: C:\Program Files (x86)\FlashGet Network\FlashGet 3\FlashGet3.exe
    --> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"FlashGet 3"


    Scan
    ----


    No file uploaded.

    Scan finished - communication took 7 sec
    Total traffic - 0.04 MB sent, 635.59 KB recvd
    Scanned 612 files and modules - 17 seconds

    ==============================================================================
    WonderGirls, Nov 18, 2010
    #27

  8. Broni Malware Annihilator

    Your computer is clean [IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
    Broni, Nov 18, 2010
    #28

  9. WonderGirls Newcomer, in training

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Chris
    ->Temp folder emptied: 76251405 bytes
    ->Temporary Internet Files folder emptied: 48485752 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 48081366 bytes
    ->Flash cache emptied: 456 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Home
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 49722 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 165.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Chris
    ->Flash cache emptied: 0 bytes

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Home
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.17.3 log created on 11172010_230005

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...


    And my computer is running smoothly now, thanks Broni. So it was a trojan? And what is a defrag?
    WonderGirls, Nov 18, 2010
    #29

  10. Broni Malware Annihilator

    Well, if Trend called it that way, most likely, it was.

    And what is a defrag?
    Start>All Programs>Accessories>System Tools>Disk Defragmenter

    Good luck and stay safe :)
    Broni, Nov 18, 2010
    #30
Page 2 of 2
Thread Status:
Not open for further replies.