• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Nucleus

I think I have a trojan and am very upset. Any help would be appreciated!

4 posts in this topic

Hello everyone. I am writing this from a Ubuntu LiveCD so it will not be read by whoever is (possibly) trojanning me. I am not 100% convinced I have a trojan but I would really appreciate your help. First off I am running nod32 anti virus and Sygate personal firewall.

 

Basically, I was reading a forum when all of a sudden my browser went to a different URL (not a popup, a full page change which I believe is a common feature in some trojans.) The site went to "www.6pm.com" but I am sure I didn't click on anything. When I went back, I noticed their was no banner ad or anything that I could of clicked on and I did a "view source" on the page and searched for "6pm.com" and it couldn't find anything. This was on firefox.

 

I noticed the Sygate icon was flashing as if to indicate an attack, but usually these don't mean anything and are just some random port scan or something. Because of the 6pm.com thing, I decided to open the log and see what IP address it was coming from. I googled for "Geobytes" because I remembered they had an IP locator and then I tried to copy and paste the IP from the log into geobytes. Although I selected it and did copy, it copied something else random that had not been in my clipboard (I forget what it was, I brushed it off as something from the computer. It wasn't that strange (like ^$(%^$(% or anything) but it wasn't what I wanted to copy. I tried several times and failed. Finally, one of the times I copied something and I am so mad but I forget what it said but it looked as if an attacker could have copied some identification settings for my computer into my own clipboard. From what I can remember, it had my user account name and my computer name. It definitely had other things as well (I am sure I would have noticed if it had my IP but I was in such a hurry trying to copy the IP address I might have missed it). Unfortunately, I copied over that text and got the IP (which wasn't able to be traced according to Geobytes).

 

After that I shutdown. I am very upset as I don't see how I could recover from something like this as obviously my anti virus and firewall are insufficient. One solution I thought of would be reinstalling windows (I currently have XP). Would I be able to keep all of my data but have it clear everything that could possibly be starting up? Another option I thought of would be upgrading to Vista. Would this allow me to keep all of my data but clear everything from starting up? I know rootkits and trojans have all sorts of hiding places other than the usual registry / msconfig startup areas so I need something complete. I know Vista is supposed to be more secure, so it would make sense that upgrading to it would clear out everything that used to startup in the more insecure versions of windows.

 

Below this is my hijackthis log file (it was made while I had my Sygate set to block all internet traffic. If that screws up the log file in any way, please tell me and I'll make a new log without the Sygate block). Any advice on this would be very much appreciated. Thank you very much!

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

 

Scan saved at 10:26:49 PM, on 6/9/2007

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

Boot mode: Normal

 

 

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

 

C:\WINDOWS\system32\winlogon.exe

 

C:\WINDOWS\system32\services.exe

 

C:\WINDOWS\system32\lsass.exe

 

C:\WINDOWS\system32\svchost.exe

 

C:\WINDOWS\System32\svchost.exe

 

C:\Program Files\Sygate\SPF\smc.exe

 

C:\WINDOWS\system32\spoolsv.exe

 

C:\WINDOWS\Explorer.EXE

 

C:\WINDOWS\ehome\ehtray.exe

 

C:\WINDOWS\CTHELPER.EXE

 

C:\WINDOWS\system32\CTXFIHLP.EXE

 

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

 

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

 

C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

 

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

 

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

 

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

 

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

 

C:\Program Files\Eset\nod32kui.exe

 

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

 

C:\WINDOWS\system32\RunDLL32.exe

 

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

 

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

 

C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe

 

C:\Program Files\PeerGuardian2\pg2.exe

 

C:\Program Files\Real\RealPlayer\RealPlay.exe

 

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

 

C:\WINDOWS\system32\CTsvcCDA.exe

 

C:\WINDOWS\eHome\ehRecvr.exe

 

C:\WINDOWS\eHome\ehSched.exe

 

C:\Program Files\Eset\nod32krn.exe

 

C:\WINDOWS\system32\nvsvc32.exe

 

C:\Program Files\Alcohol 120\StarWind\StarWindService.exe

 

C:\WINDOWS\system32\dllhost.exe

 

C:\WINDOWS\eHome\ehmsas.exe

 

C:\WINDOWS\system32\wuauclt.exe

 

C:\Documents and Settings\Alex\Desktop\HiJackThis_v2.exe

 

 

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

 

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

 

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

 

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll

 

O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2526.dll

 

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

 

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

 

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

 

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

 

O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"

 

O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r

 

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

 

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

 

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

 

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

 

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

 

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

 

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

 

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

 

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

 

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

 

O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"

 

O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray

 

O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

 

O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe

 

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

 

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

 

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

 

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

 

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

 

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

 

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

 

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

 

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

 

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

 

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

 

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

 

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

 

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

 

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

 

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindService.exe

 

 

 

--

 

End of file - 7666 bytes

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

 

Sorry you’ve had to wait for a few days but all of the helpers here are volunteers and we’ve been really busy recently.

 

First, please download ComboFix from Here or Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Once you have run ComboFix and before posting your log from that scan, please download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

I’ll look out for your reply :)

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0