malaprop
-
Posts
18 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by malaprop
-
-
I think Im good, but you guys are the experts.
DDS (Ver_11-03-05.01) - NTFSx86
Run by b at 19:45:16.20 on Thu 05/26/2011
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2558.1724 [GMT -4:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskmgr.exe
C:\Program Files\UltraMon\UltraMonUiAcc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\AUDIODG.EXE
C:\Users\b\Desktop\infection\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
uInternet Settings,ProxyServer = http=
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [AdobeBridge]
uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [<NO NAME>]
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{b49673f8-7ab6-4a14-8213-
c8a7be370010}\IcoUltraMon.ico
uPolicies-explorer: MaxRecentDocs = 32 (0x20)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ciscosupport.webex.com/client/T27L10NSP11EP19/support/ieatgpc1.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: c:\progra~1\google\google~1\GO36F4~1.DLL acaptuser32.dll
SSODL: GrooveChat - {196a8ddc-07c7-4ecf-a81a-8cb52f4a7d2a} - c:\program files\common files\commonlayoutmodifier\CommonLayoutModifier.dll
SSODL: CommonLayoutModifier - {196a8ddc-07c7-4ecf-a81a-8cb52f4a7d2a} - c:\program files\common files\commonlayoutmodifier\CommonLayoutModifier.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {481975DE-442F-492E-BC22-696F699A804D} - reg add "HKCU\Software\Microsoft\Terminal Server Client\Default\AddIns\ThinPrint" /v Name /t reg_sz /d "c:
\windows\system32\TPClnRDP.dll" /f
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\b\appdata\roaming\mozilla\firefox\profiles\co6in0d7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\b\appdata\roaming\mozilla\firefox\profiles\co6in0d7.default\extensions\mozilla_cc@internetdownloadmanager.com\components\idmmzcc.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\b\appdata\roaming\mozilla\firefox\profiles\co6in0d7.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\users\b\appdata\roaming\mozilla\firefox\profiles\co6in0d7.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\users\b\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: dragdropupload: {CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9} - %profile%\extensions\{CB56AAF9-68C8-41bd-8E5C-7B53232CF7B9}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: Webmail Ad Blocker: gmailnoads@mywebber.com - %profile%\extensions\gmailnoads@mywebber.com
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - Ext: ReloadEvery: {888d99e7-e8b5-46a3-851e-1ec45da1e644} - %profile%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Check4Change: check4change-owner@mozdev.org - %profile%\extensions\check4change-owner@mozdev.org
FF - Ext: SortPlaces: sortplaces@andyhalford.com - %profile%\extensions\sortplaces@andyhalford.com
FF - Ext: MeasureIt: {75CEEE46-9B64-46f8-94BF-54012DE155F0} - %profile%\extensions\{75CEEE46-9B64-46f8-94BF-54012DE155F0}
FF - Ext: Open With Photoshop: {f3f219f9-cbce-467e-b8fe-6e076d29665c} - %profile%\extensions\{f3f219f9-cbce-467e-b8fe-6e076d29665c}
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - %profile%\extensions\mozilla_cc@internetdownloadmanager.com
FF - Ext: IDM CC: mozilla_cc@internetdownloadmanager.com - c:\users\b\appdata\roaming\idm\idmmzcc3
.
============= SERVICES / DRIVERS ===============
.
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-12-16 126536]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2010-11-13 83184]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-3-1 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-5-23 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-27 363344]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-12-16 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-12-16 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-12-16 99400]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-12-16 111176]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-12-16 113736]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-1-27 2253688]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2008-11-14 17184]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-16 20952]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-7-10 30192]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-3-16 27192]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2010-3-11 25088]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-26 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-4-1 1343400]
.
=============== Created Last 30 ================
.
2011-05-24 16:23:10 11 ----a-w- c:\progra~2\userlib.dll
2011-05-24 16:22:34 -------- d-----w- c:\program files\PaulMarv Software
2011-05-23 20:43:58 -------- d-----w- c:\users\b\appdata\local\LogMeIn
2011-05-23 20:43:49 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-05-23 20:43:49 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-05-23 20:43:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-05-23 20:43:48 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2011-05-23 20:43:44 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-05-23 20:43:35 -------- d-----w- c:\progra~2\LogMeIn
2011-05-23 20:43:21 -------- d-----w- c:\program files\LogMeIn
2011-05-23 14:41:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-22 19:52:44 6962000 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{37890045-4d07-4166-9b95-3894eae99a61}\mpengine.dll
2011-05-18 15:31:01 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-18 15:31:01 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-18 15:30:58 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-07 06:43:55 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-05-07 06:43:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-07 06:07:17 -------- d-----w- c:\users\b\appdata\local\Orzeszek
2011-05-07 03:05:26 -------- d-----w- c:\program files\FreeCountdownTimer
2011-05-01 05:57:11 -------- d-----w- c:\users\b\appdata\roaming\GRLevel3
2011-05-01 05:56:52 -------- d-----w- c:\program files\GRLevelX
.
==================== Find3M ====================
.
2011-04-01 08:47:01 409088 ----a-w- c:\windows\system32\systemcpl.dll
2011-04-01 08:47:01 13824 ----a-w- c:\windows\system32\slwga.dll
2011-04-01 08:46:58 811520 ----a-w- c:\windows\system32\user32.dll
2011-03-11 05:33:59 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33:59 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:28:29 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-07 05:33:13 981504 ----a-w- c:\windows\system32\wininet.dll
2011-03-07 03:52:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-03-03 05:38:01 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:36:16 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:42:34 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-02-27 00:43:21 152576 ----a-w- c:\windows\system32\msclmd.dll
2010-10-01 06:27:25 2048 --sha-w- c:\windows\actofvl\clip.exe
.
============= FINISH: 19:46:09.80 ===============
-
wrong VT report, here is the right one.
(cant edit posts?)
-
sorry for the delay folks. I did a full scan with Panda Cloud and came up with this nasty little bugger that was in C:\USERS\C\APPDATA\LOCAL\TEMP. All seems well now, the temp folder stays clean after a reboot. Mbam and SASare quiet also.
-
At boot time, UAC found dialup.exe and data.txt in users\me\appdata\local\temp. After I denied it permission, Panda Cloud neutrilizes passwordfox.exe from the same directory. iepv.txt has my email username and password. This is from the mbam protection log:
21:45:30 c DETECTION C:\Users\c\AppData\Local\Temp\dialup.exe Hacktool.Dialupass QUARANTINE
21:45:34 c DETECTION C:\USERS\C\APPDATA\LOCAL\TEMP\DIALUP.EXE Hacktool.Dialupass DENY
I deleted all files in the temp folder. The longalphanumericstring.tmp files and the WPDNSE folder had to be deleted in safe mode. When I reboot, the files are back. I know ChromePass, iepv and mspass are Nirsoft files but why are they being replaced after deletion? I changed my email password (on another machine) but I havent logged into it from this machine since. I use VPNs and RDP for work, I dont know if I should be concerned about those either.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:13:08 PM, on 5/15/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\UltraMon\UltraMonUiAcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Adobe\Adobe Photoshop CS5\Photoshop.exe
C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskhost.exe
C:\Users\b\Desktop\ALL\DOWNLOAD\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX
\AcroIEFavClient.dll
O2 - BHO: Java
-
ok, the 200 logs are in C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs and the 27 logs are in C:\Users\USER NAME\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs.
Thank you. Thank you very much.
-
Hi all, Im using 1.50.1.1100 on Win7 SP1. I wanted to know the location of the logs in Windows. In the logs tab there are over 200 logs. When I go to %AppData%\Malwarebytes\Malwarebytes' Anti-Malware\Logs, there are only about 27. Am I looking in the wrong place? Thank you!
-
I could use some help with this issue also, so hope this topic isn't closed. I'm having the same problem with MBAM showing successful updating in the logs, but the database version never updates; I have to log in to my admin account and do it manually every few days. I'm using XP3, MBAM V 1.44, and have enacted all the program permissions in my McAfee security that I could find.
I don't use my admin account for anything but admin purposes, so I'm confused, how is the automatic update feature supposed to work if the database version must be manually updated? Thanks for any help you can give me!
I think what Firefox means is the logged on user must have administrative rights for it to update, so if that user does not have admin rights, it wont work. Most people always logon with admin rights. Like in my situation, it wont update until I log the the kids off and login myself.
-
Didnt know that, its the kids' machine, so much for phone support . Im always on my box with admin rights of course. Okay, that wraps that up. Thanks for the speedy replies, love this forum.
-
Perfect.
What is your Windows version ? If you have Vista, or Seven, the admin priviledges are necessary, or an account that is not limited, to perform updates.
XP SP3, no admin on machine.
-
Hello,
what version of MBAM is installed ? The latest release is 1.44, you should have this version.
Yes, 1.44
-
mbam runs the update without error messages, but it wont get up to date. It is now on database 3596, 1/18/10. The latest is 3796, today. Any ideas? Thanks!
-
I'll be happy to help if required?
Thank you very much. I posted to Googles Webmasters Tools help group inquiring as to the status of my request, I'll let you know if a I get a response.
Any opinion on Norton Websafe, Unmask Parasites and Dasient's Web Anti-Malware?
-
Its the company website. I'm the just the lowly sysadmin. I'm not involved in the day to day upkeep/updating of the site, I rarely even look at it. Managing the Windows 2008 Domain Controllers, Terminal Servers, Exchange 2007 and LAN/WAN for 150 users pretty much punches my dance card. The site was professionally built some time ago; maintenance and updating consists of not much more than uploading documents and images to the desired directories. FrontPage a la Filezilla. My recreational HTML editing skills are intermediate at best and thats pushing it. I wouldnt know PHP if I sat on it, which is ok because there isnt (supposed to be) any PHP on it.
So when the guy that does it tells me theres a problem with the site, I look at it. Yup, that would be a problem. So now I have to clean it up, upload a 'certified clean' copy and then explain a few common sense security procedures and enforce them. Of course this would be much simpler if Google would follow through on the Review Request I submitted almost 72 hours ago. Through Google's Webmaster Tools, I scanned it with Norton Websafe-clean, Unmask Parasites' report mentions an "external reference" about a Belgian Porsche dealer and Dasient's Web Anti-Malware shows it clean but had several "possible sensitive directories".
So I guess that kinda leaves me in limbo until Google does what its supposed to do...
-
How does one do that?
-
Yes, your posting was what got me onto the Gumblar trail
What should I use to scan a copy of my public folder to verify that it is clean before I upload it back? The site is hosted on a Linux box but since its shared hosting, I cant scan it myself with something like clamd. I need a Windows app that I can trust to be effective so I can scan it on my pc first.
-
Apologies for taking so long.
I've got 3 records of exploits on 3 different domains on 195.47.247.178. Could you give me your sites IP please?
64.29.145.73 but its on shared hosting, not dedicated.
Also, any thoughts on my first question regarding the scan?
-
Just had a problem with the company website, Google was reporting it as dangerous. The Safe Browsing diagnostic page said the malicious software included 11 scripting exploits and 7 trojans. I downloaded the entire public directory to a laptop with mbam 1.41, db v3198 on it and scanned it several times. Mbam did not find anything. After opening a ticket with the hosting provider, I learned that they disabled 2 exploits, same file, 2 locations /public/images/gifimg.php and /public/web/images/gifimg.php. When I uploaded the file to virustotal and only one (Sophos) scanning engine found Troj/PHPMod-C. Looks like it may be a Gumblar residual/variant. Should mbam have picked that up? (neither sas or mse caught it)
Also, the IP Protection blocked it. Not that thats a surprise. (but I did wonder how it picked that up so quick) Ive put in an Incorrect Forgery Alert to Google, dont know how that takes to go through. The IP protection is still blocking it but when it pops up with the IP address in it, the address is wrong. It displays 195.47.247.178 which is in Denmark. In a browser, it opens a page with "This domain is not yet ready - Please try again later. Hosted by One.com" on it. That is miles from the IP of my site. Whats up with that?
Thank you. Thank you very much.
Level of Concern?
in Resolved Malware Removal Logs
Posted
All seems well, no problems. thanks for the help,