computer trojan/hacked?

13

Comments

  • RussJK
    RussJK Posts: 2,359 Forumite
    edited 12 July 2011 at 7:19PM

    Press no.

    Before anything else, save Hijackthis to the desktop (right click, save as) (
    http://www.trendmicro.com/ftp/products/hijackthis/beta/HijackThis.exe). Then RIGHT CLICK and Run as (current user), untick protect me. Do a SCAN and SAVE A LOG. Don't FIX anything, just post the log that comes up in notepad please. Let me know if it doesn't work.

    If Hijackthis works and you've posted a lot, then try Hitmanpro again as Still the one suggested. Use the LEFT CTRL method if needed.


    If that works, then try Malwarebytes: (
    https://store.malwarebytes.org/342/purl-mbam-download) Update, QUICK scan, clean, post log please.
  • dezz99
    dezz99 Posts: 494 Forumite
    Tenth Anniversary 100 Posts
    RussJK wrote: »
    Press no.

    Before anything else, save Hijackthis to the desktop (right click, save as) (http://www.trendmicro.com/ftp/products/hijackthis/beta/HijackThis.exe). Then RIGHT CLICK and Run as (current user), untick protect me. Do a SCAN and SAVE A LOG. Don't FIX anything, just post the log that comes up in notepad please. Let me know if it doesn't work.

    If Hijackthis works and you've posted a lot, then try Hitmanpro again as Still the one suggested. Use the LEFT CTRL method if needed.

    If that works, then try Malwarebytes: (https://store.malwarebytes.org/342/purl-mbam-download) Update, QUICK scan, clean, post log please.

    ok if i press no, i go into system restore....NOT safe mode....is that correct?

    i have saved hijack this to my usb drive now.

    do you want me to go into safemode and run hijack this in safe mode and then post the log here?
  • RussJK
    RussJK Posts: 2,359 Forumite
    Sorry this is probably too much for you - just run system restore and see what happens.
  • dezz99
    dezz99 Posts: 494 Forumite
    Tenth Anniversary 100 Posts
    RussJK wrote: »
    Sorry this is probably too much for you - just run system restore and see what happens.

    sorry mate just wanted to follow instructions....

    here is the hijackthislog:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 19:10:03, on 12/07/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Explorer.EXE
    F:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Security Protection] C:\Documents and Settings\All Users\Application Data\defender.exe
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: OpenOffice.org 3.0.lnk = C:\Documents and Settings\Owner\My Documents\OpenOffice.org 3\program\quickstart.exe
    O4 - Startup: virtualseasonplayer4.2.lnk = C:\Program Files\Virtualseason Player 4.2\virtualseasonplayer4.2.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

    --
    End of file - 4324 bytes
  • dezz99
    dezz99 Posts: 494 Forumite
    Tenth Anniversary 100 Posts
    hitman pro isnt loading as it is saying there is no internet connection......just going to try malware now...
  • RussJK
    RussJK Posts: 2,359 Forumite
    edited 12 July 2011 at 7:23PM
    Nice work. In Hijackthis, TICK and FIX the following:
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Security Protection] C:\Documents and Settings\All Users\Application Data\defender.exe
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')


    Interesting about taskswitch.exe, up until recently Malwarebytes had all files named 'taskswitch.exe' on a whitelist, so it wouldn't detect it even if it had the signatures for it.

    I'm a bit wary of these - do you speak Japanese and use Japanese text? If not, you can probably TICK and FIX these too:
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
  • closed
    closed Posts: 10,886 Forumite
    O4 - HKCU\..\Run: [Security Protection] C:\Documents and Settings\All Users\Application Data\defender.exe
    !!
    > . !!!! ----> .
  • dezz99
    dezz99 Posts: 494 Forumite
    Tenth Anniversary 100 Posts
    ok mate, i deleted the 4 files you told me too from hijackthis.

    i could not update the malwarebytes program so just had to run the one that i downloaded from the first page on this thread.

    it found 4 trogans (i havent removed them yet)

    here is the log:

    Malwarebytes' Anti-Malware 1.51.0.1200
    https://www.malwarebytes.org

    Database version: 6705

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    12/07/2011 19:26:32
    mbam-log-2011-07-12 (19-26-18).txt

    Scan type: Quick scan
    Objects scanned: 138089
    Time elapsed: 6 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Protection (Trojan.FakeAlert) -> Value: Security Protection -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> No action taken.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\all users\application data\defender.exe (Trojan.FakeAlert) -> No action taken.


    should i remove the 4 files now?
  • closed
    closed Posts: 10,886 Forumite
    edited 12 July 2011 at 7:38PM
    yes, then reboot, update and do a full scan
    !!
    > . !!!! ----> .
  • RussJK
    RussJK Posts: 2,359 Forumite
    Yes, but you'll have to restart either into SAFE MODE WITH NETWORKING, or into Normal mode.

    Alternatively, transfer over the offline Malwarebytes updater: http://www.malwarebytes.org/mbam/database/mbam-rules.exe
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.3K Banking & Borrowing
  • 252.9K Reduce Debt & Boost Income
  • 453.2K Spending & Discounts
  • 243.3K Work, Benefits & Business
  • 597.8K Mortgages, Homes & Bills
  • 176.6K Life & Family
  • 256.3K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.