Announcement

Collapse
No announcement yet.

Bad News:Trojan Infection

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bad News:Trojan Infection

    Well I came home in a good mood and then everything went sour. My McAfee popped up with a VirusScan alert saying it found a Trojan in C://Windows/System32/NTBIOS.dll the name was Generic.dx. Im not experienced at all with these kinds of problems. Can anyone here help me or direct me to a good tech site? Heres my HiJackThis log in case anyone wants to help:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:58:51 PM, on 9/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
    C:\Program Files\ThreatFire\TFTray.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\CTXFIHLP.EXE
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Documents and Settings\Mr Fighter\Desktop\[email protected]\[email protected]
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\spupdsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ThreatFire\TFService.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\ehome\medctrro.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Xfire\Xfire.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\Documents and Settings\Mr Fighter\Desktop\[email protected]\FahCore_a0.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Mr Fighter\Desktop\HiJackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tacticalgamer.com/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: [email protected] = C:\Documents and Settings\Mr Fighter\Desktop\[email protected]\[email protected]
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Startup: Teamspeak 2 RC2.lnk = C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1221768014600
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5105/CTPID.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

    --
    End of file - 10243 bytes

    Im on SP2 because of possible compat. issues with ThreatFire and SetPoint in case you're wondering.

  • #2
    Re: Bad News:Trojan Infection

    malwarebytes.org In my oppion Norton and macrap are worthless. but if you want to clean up use that free progy and also ....combofix....



    Comment


    • #3
      Re: Bad News:Trojan Infection

      Plenty of free sites that will scan and remove virus's and Trojans from your computer with little input actually coming from except for maybe confirmation of the disinfecting.
      A topic was discussed I believe about this a while back but I like doing mulltiple scans every one in a while just to be on the safe side, such as TrendMicro's Housecall, maybe usinf Safety Scanner from Microsoft , or even going to ESET.com and using the free version of NOD32 AV. Kaspersky has a free online scanner as well but doesn't disinfect your computer but will let you know what is infected...or it use to anyway.
      You may be asked to download a small install file but it is not the whole program from any of these sites, they should not conflict with McAfee already running on your computer. They may also need to download virus updates before they actually start scanning.

      Comment


      • #4
        Re: Bad News:Trojan Infection

        Step 1. Stop watching porn
        A good FREE anti-virus is AVG, but trend-micro hijackthis is your best bet for detecting it.
        Try manually removing it through the registry.

        Comment


        • #5
          Re: Bad News:Trojan Infection

          o this is easy stuff. remove Macafee. Download AVG let it update and run it. better yet. Point AVG where to scan ie..the file that is known to be infected and let it do its job. Next look up that particular trojan, its full name. There are all sorts of helps that will help you remove said file.


          if you need anymore help post. i did this everyday for the college i worked at, and it wasn't even my job. Network admins where more concerned with external threats then the internal cesspool that was our schools network.
          that sounds like a good idea trooper.
          -Vulcan

          Comment


          • #6
            Re: Bad News:Trojan Infection

            AVG or Kaspersky would kill this easy letting you watch all the porn your 13 year old mind could ever even have in a dream.. Yes that one certain type of dream.
            "A Veteran is someone who , at one point in their life, wrote a blank check made payable to
            'The United states of America' for an amount of 'upto and including my life'. That is honor, and there are way to many people in this country who no longer understand it."-Author Unknown

            "I got kicked out of barnes and noble once for moving all the bibles into the fiction section" -Any.

            Comment


            • #7
              Re: Bad News:Trojan Infection

              Personally I use Durex and haven't had an infection yet.
              Iím not racists, I have republican friends. Radio show host.
              - "The essence of tyranny is the denial of complexity". -Jacob Burkhardt
              - "A foolish consistency is the hobgoblin of little minds" - Emerson
              - "People should not be afraid of it's government, government should be afraid of it's People." - Line from V for Vendetta
              - If software were as unreliable as economic theory, there wouldn't be a plane made of anything other than paper that could get off the ground. Jim Fawcette
              - "Let me now state what seems to me the decisive objection to any conservatism which deserves to be called such. It is that by its very nature it cannot offer an alternative to the direction in which we are moving." -Friedrich Hayek
              - "Don't waist your time on me your already the voice inside my head." Blink 182 to my wife

              Comment


              • #8
                Re: Bad News:Trojan Infection

                You guys should check out what i posted My friend works on infected pc's all day long and it is fast easy and very affective.



                Comment


                • #9
                  Re: Bad News:Trojan Infection

                  SmitFraudFix by S!Ri
                  This little prog has saved me from the majority of trojans i've gotten. Read up on it before you use it. Used mainly for trojans that install desktop popups.


                  Comment


                  • #10
                    Re: Bad News:Trojan Infection

                    Originally posted by Imapayne View Post
                    You guys should check out what i posted My friend works on infected pc's all day long and it is fast easy and very affective.
                    I don't recommend you run ComboFix as a cure-all. It's possible (albeit unlikely) that you can crash your OS when using it. Has happened to me twice in the 80 or so times I've used it in the last couple months. Something you have to be aware of.

                    For a minor infection like this, Malwarebytes anti-malware, Spybot S&D and a combo virus scan (AVG on your PC and an online scan ala House Call or Kaspersky or whichever) should be enough to deal with pretty much everything.

                    Anything more complicated than that and I'd go post on one of those anti-spyware forums, where they'll walk you through running combofix and Hijack this and other programs best left to people who know what they're doing with them.
                    a.k.a. NinjaPirateAssassin
                    Celibacy is not Hereditary.
                    Everybody should believe in something - I believe I'll have another drink.
                    Happiness is like wetting your pants, everyone can see it but only you can feel the warmth.
                    Flying is easy, Just throw yourself at the ground and miss!

                    Comment


                    • #11
                      Re: Bad News:Trojan Infection

                      Originally posted by Spyder View Post
                      I don't recommend you run ComboFix as a cure-all. It's possible (albeit unlikely) that you can crash your OS when using it. Has happened to me twice in the 80 or so times I've used it in the last couple months. Something you have to be aware of.

                      For a minor infection like this, Malwarebytes anti-malware, Spybot S&D and a combo virus scan (AVG on your PC and an online scan ala House Call or Kaspersky or whichever) should be enough to deal with pretty much everything.

                      Anything more complicated than that and I'd go post on one of those anti-spyware forums, where they'll walk you through running combofix and Hijack this and other programs best left to people who know what they're doing with them.
                      I ran malwarebytes didnt find anything. Ran ESET's online scanner and found yet something else I was totally unaware of Win32.g.Patched Virus or something like that. It deleted the dll in my system32 that contained the virus. Still no news on the trojan.

                      Comment


                      • #12
                        Re: Bad News:Trojan Infection

                        Sry for double post, but.... I am sad to say goodbye to my very light load I have on here. I have been unfortunate enough to have to reformat. So begins the painful journey... :(

                        Comment

                        Connect

                        Collapse

                        TeamSpeak 3 Server

                        Collapse

                        Advertisement

                        Collapse

                        Twitter Feed

                        Collapse

                        Working...
                        X