groove1
-
Posts
14 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by groove1
-
-
Malwarebytes' Anti-Malware 1.37
Database version: 2267
Windows 5.1.2600 Service Pack 3
6/12/2009 3:43:49 PM
mbam-log-2009-06-12 (15-43-49).txt
Scan type: Quick Scan
Objects scanned: 119950
Time elapsed: 4 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Thx, Btw, that is from SnagIT which is another powerful program http://www.techsmith.com/screen-capture.asp
Anyway, nothing found and that scan was very fast. I am going to assume I am ok but will wait to confirm. I know this thing could potentially have been bad so I am glad I found it quickly.
-
-
Is this what I need to change and if so, what? Thanks.
-
Also, no problems that I know of; the backdoor.agent is not showing up on the MB or Symantec scans.
-
I went to update and it told me I was running the latest version but it appears to be the same:
Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3
6/12/2009 9:13:58 AM
mbam-log-2009-06-12 (09-13-58).txt
Scan type: Quick Scan
Objects scanned: 115196
Time elapsed: 7 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
In the interim you can use the On Screen Board which is slower but cannot be record by key loggers. For XP go to Start > Accesories > Accesibilty > On Screen Keyboard. Use this when logging into websites and email accounts until you are sure they keylogger is removed.
-
It's so true. Buy a Mac already.
-
Sorry, I did not see an edit button. I just realized that I had done a system restore yesterday because when I first ran MB it showed the version as being 1.36. So I think I restored everything back to the day when I made the changes. Our deskiside support guy was here and changed some things, so I wanted to change them back. This was the same day the backdoor agent was found, so when I went back to restore it to that day, that may have been when it showed up again. Here is the scan after deleting and running the HJT in the previous post.
Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3
6/11/2009 10:53:01 AM
mbam-log-2009-06-11 (10-53-01).txt
Scan type: Quick Scan
Objects scanned: 111672
Time elapsed: 4 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
A guy walks into a bar and says "Ouch".
-
MB detected this 3 days ago. I ran the scan yesterday and the day before and it was not there. Updated MB today, ran the scan and there it was again.
Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3
6/11/2009 9:03:51 AM
mbam-log-2009-06-11 (09-03-51).txt
Scan type: Quick Scan
Objects scanned: 115761
Time elapsed: 4 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation (Backdoor.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:31 AM, on 6/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
HJT Log:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Symantec AntiVirus\SNAC.EXE
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\altiris\aclient\aclient.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\altiris\aclient\AClntUsr.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SAP\FrontEnd\sapgui\saplogon.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FileBound\Viewer\FBViewerLauncher.exe
C:\Program Files\Symantec AntiVirus\SymCorpUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.compass-usa.com
O15 - Trusted Zone: http://*.compassperformance.com
O15 - Trusted Zone: http://*.ondemand.halogensoftware.com
O15 - Trusted Zone: *.redcross.org
O15 - Trusted Zone: *.compass-sales.com (HKLM)
O15 - Trusted Zone: http://*.compass-usa.com (HKLM)
O15 - Trusted Zone: *.compassperformance.com (HKLM)
O15 - Trusted Zone: http://*.compassperformance.com (HKLM)
O15 - Trusted Zone: fin.crothall.com (HKLM)
O15 - Trusted Zone: http://fin.crothall.com (HKLM)
O15 - Trusted Zone: teamchimes.crothall.com (HKLM)
O15 - Trusted Zone: http://teamchimes.crothall.com (HKLM)
O15 - Trusted Zone: teamops.crothall.com (HKLM)
O15 - Trusted Zone: http://teamops.crothall.com (HKLM)
O15 - Trusted Zone: http://crothall.fileburst.com (HKLM)
O15 - Trusted Zone: *.halogensoftware.com (HKLM)
O15 - Trusted IP range: 192.168.101.20 (HKLM)
O15 - ESC Trusted Zone: http://www.wise.com
O15 - ESC Trusted Zone: http://www.wise.com (HKLM)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1199306547204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NA.compassgroup.corp
O17 - HKLM\Software\..\Telephony: DomainName = NA.compassgroup.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NA.compassgroup.corp
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - c:\altiris\aclient\aclient.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Update Service (gupdate1c9db22824e6082) (gupdate1c9db22824e6082) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
--
End of file - 9989 bytes
-
Malwarebytes founnd this on my PC Monday. I had run MB the day before and it wasn't there then. I deleted it right away. I didn't use my computer for anything personal in the interim. Is the pc safe? Sorry, I deleted the log but it was backdoor.agent in the registry key.
-
I became a fan!
?
This never happened to me and I'm on facebook for months...
You tried to login on facebook and it redirected you to some nasty site? If that's what you were saying..
Almost impossible if you aren't infected...
What they are syaing is they opened a video message from someone, it contained a fake download purported to be Adobe Flash, they tried downloading it and got the malware. This is actully I found out about MB. We did a dance performance at work and several people recorded the video. The next day I get a message on Facebook from a coworker saying that I look funny dancing in the video (which I did because it was a comedy dancee routine). So I dowloaded the 'software' and got koobface. It was just a real bad coincidence at that time. Symantec didn't stop and although it found it couldn't get rid of it. So i found Malwarbytes on CNET, downloaded the program, removed the koobface and eberything is fine. The other day I got a backdoor bug which MB found and Symantec did not. I got rid of that promptly too.
Backdoor agent
in Resolved Malware Removal Logs
Posted
Thanks. Everything is set to update automatically. I think it may have somehow been transmitted over an unsecure wireless network with an infected pc on it. Won't do that again.