SA-MP Forums

Go Back   SA-MP Forums > Other > Everything and Nothing

Reply
 
Thread Tools Display Modes
Old 10/08/2010, 04:49 PM   #1
Mrkrabz
High-roller
 
Join Date: Sep 2007
Location: United Kingdom
Posts: 2,081
Reputation: 258
Default Trojan Removal

Right before we start, And before anyone says... I did not get this from Downloading, Porn, Websites, Or whatever the fuck else. I'm not even going to say.

Basically here is the logs.

http://pastebin.com/zrTdNayJ

It's infecting all .exe's That's the basics of it.
And before you say (YES.. That is a downloaded version of SA, But my Installation disk does not work. SO in a way it is not.)

Here are some hijack logs:


Code:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:48:02, on 10/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Avira\AntiVir Desktop\avshadow.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\Program Files\TortoiseSVN\bin\TSVNCache.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Windows Media Player\WMPNSCFG.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\mIRC\mirc.exe
E:\Program Files\Spotify\spotify.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\Skype\Plugin Manager\skypePM.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
E:\WINDOWS\system32\dllhost.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\WinRAR\WinRAR.exe
E:\Program Files\Notepad++\notepad++.exe
E:\Program Files\ClamAV for Windows\1.0.26\agent.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Documents and Settings\Grant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
E:\WINDOWS\system32\msiexec.exe
E:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.229.50.14:3128
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "E:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] E:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [amd_dc_opt] E:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 5.3\THGuard.exe"
O4 - HKLM\..\Run: [Immunet Protect] "E:\Program Files\ClamAV for Windows\1.0.26\iptray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] E:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - E:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - E:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9B7AE08-9296-43FF-A75E-D0F0C46CE878}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AODService - Unknown owner - E:\Program Files\AMD\OverDrive\AODAssist.exe
O23 - Service: Apache2.2 - Apache Software Foundation - D:\xampp\apache\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ClamAV for Windows (ImmunetProtect) - Immunet Corporation - E:\Program Files\ClamAV for Windows\1.0.26\agent.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mysql - Unknown owner - D:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: wampapache - Apache Software Foundation - E:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - E:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe

--
End of file - 9383 bytes

The Trojan/Malware is called W32/Stanit, I'm also guessing this is a Network Worm.
Mrkrabz is offline   Reply With Quote
Old 10/08/2010, 05:13 PM   #2
MWF2
Huge Clucker
 
MWF2's Avatar
 
Join Date: May 2010
Posts: 388
Reputation: 0
Default Re: Trojan Removal

I have fixed a friends computer with that virus before.


1. How many computers are on the same network? Disconnect them. This virus effects networks and doesn't have to have started from your network. It could be from another computer. If not, it is from yours.

2. I used the AVIRA Removal Tool when i had to fix this virus. It works perfect but doesn't get rid of the whole thing. So..

Disconnect your internet, then scan with this tool (of course after you download it lol)

3. After the removal tool gets rid of some of the infection, try your own antivirus and if your using a pc go to run -> type MRT and use the microsoft malicious removal tool and see if it detects anything. If so, get rid of it.

4. If like i said before, your computer is connected to a network with other computers as well. Make sure before you connect your computer back to that network, you scan those computers for this virus as well.
MWF2 is offline   Reply With Quote
Old 10/08/2010, 05:19 PM   #3
Mrkrabz
High-roller
 
Join Date: Sep 2007
Location: United Kingdom
Posts: 2,081
Reputation: 258
Default Re: Trojan Removal

Avira removal tool found nothing, already tried :3

Avira itself found all the .exe's infected but not the source

Trying MRT now.
Mrkrabz is offline   Reply With Quote
Old 10/08/2010, 05:21 PM   #4
MWF2
Huge Clucker
 
MWF2's Avatar
 
Join Date: May 2010
Posts: 388
Reputation: 0
Default Re: Trojan Removal

http://www.free-av.com/en/products/3...oval_tool.html


Is the spot i think i got it from last time.
MWF2 is offline   Reply With Quote
Old 10/08/2010, 05:41 PM   #5
Mrkrabz
High-roller
 
Join Date: Sep 2007
Location: United Kingdom
Posts: 2,081
Reputation: 258
Default Re: Trojan Removal

W32/Stanit.A
W32/Stanit

I have the bottom one and it detects the top, Dunno if they are the same, but it don't detect it.

Oh and MRT found nothing
Mrkrabz is offline   Reply With Quote
Old 10/08/2010, 05:48 PM   #6
Toni
High-roller
 
Toni's Avatar
 
Join Date: Aug 2009
Location: United States
Posts: 1,535
Reputation: 154
Default Re: Trojan Removal

Just a random shot, have you tried system restore (so it can restore files before the infection) ?
__________________
Toni is offline   Reply With Quote
Old 10/08/2010, 05:52 PM   #7
MWF2
Huge Clucker
 
MWF2's Avatar
 
Join Date: May 2010
Posts: 388
Reputation: 0
Default Re: Trojan Removal

Really? wow...


If all the antivirus scans you try don't fix it. Try it in safemode. If that doesn't work. Try to find the files that it infected, and if they are not needed remove a lot of them.

If not, I have no idea lol. Worked for me..

reformat?
MWF2 is offline   Reply With Quote
Old 10/08/2010, 05:54 PM   #8
Mrkrabz
High-roller
 
Join Date: Sep 2007
Location: United Kingdom
Posts: 2,081
Reputation: 258
Default Re: Trojan Removal

System restore is pointless, That's where the Trojan is Based. It's all infected. But thanks anyway.

I'm having a feeling it's just gone poof, because all virus alerts have gone, and everything is back to normal. We shall see what happens.
Mrkrabz is offline   Reply With Quote
Old 10/08/2010, 07:57 PM   #9
joemomma53
Gangsta
 
Join Date: Jul 2007
Posts: 683
Reputation: 1
Default Re: Trojan Removal

Re install windows, this way you are positive it's gone
joemomma53 is offline   Reply With Quote
Old 11/08/2010, 12:49 AM   #10
Mrkrabz
High-roller
 
Join Date: Sep 2007
Location: United Kingdom
Posts: 2,081
Reputation: 258
Default Re: Trojan Removal

I really cant be bothered, No sign's just now. So i'm not bothered.
Mrkrabz is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help! Object removal sXecookie Help Archive 6 09/01/2010 07:54 AM
sa-mpserver.exe detected as a Trojan? Giacomand Server Support 11 20/12/2009 03:19 PM
PHP Code [TROJAN?] Where? Eazy_Efolife Everything and Nothing 10 27/11/2009 03:32 AM
Trojan bots Sayaron Server Support 6 20/08/2009 09:43 PM
car removal cj101 Help Archive 1 19/02/2009 08:21 PM


All times are GMT. The time now is 05:32 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.