Jump to content

matthewc

Members
  • Posts

    7
  • Joined

  • Last visited

Everything posted by matthewc

  1. Hi, I updated to Adobe Reader 9 and followed your instructions for Java 6u10. As far as I can tell the system seems to be running smoothly and is free of any viruses/malware. Thank you very much!
  2. Things are looking good for now. Is there anything else I should look out for? Again, thanks for your help. You guys are great! Malwarebytes' Anti-Malware 1.30 Database version: 1403 Windows 5.1.2600 Service Pack 3 11/16/2008 9:37:08 PM mbam-log-2008-11-16 (21-37-08).txt Scan type: Quick Scan Objects scanned: 48386 Time elapsed: 4 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:37:48 PM, on 11/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\system32\MsgSys.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.com/ O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel File Transfer - Intel
  3. Earlier in the afternoon, after I deleted the rootkit service in gmer, I ran mbam in safe mode and this is what it picked up: Malwarebytes' Anti-Malware 1.30 Database version: 1401 Windows 5.1.2600 Service Pack 3 11/15/2008 4:42:45 PM mbam-log-2008-11-15 (16-42-45).txt Scan type: Quick Scan Objects scanned: 47202 Time elapsed: 8 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSnrsr.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\taro\Local Settings\Temp\TDSS8d23.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\taro\Local Settings\Temp\TDSS8daf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSfxwp.dll (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully. After doing that things seem to be back to normal. Here are my most recent mbam and hjt logs: Malwarebytes' Anti-Malware 1.30 Database version: 1401 Windows 5.1.2600 Service Pack 3 11/16/2008 1:22:42 AM mbam-log-2008-11-16 (01-22-42).txt Scan type: Quick Scan Objects scanned: 48381 Time elapsed: 7 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:58:16 AM, on 11/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\system32\MsgSys.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.com/ O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel File Transfer - Intel
  4. Hi folks, Removing the modules and etc. associated files in gmer wasn't as straight forward as deleting the service. All i could do is dump the module (and to be honest I had no idea what that meant or did). For the registry values there don't seem to be many options in gmer. Any advice on that? Thank you, I appreciate the help.
  5. Hi, I deleted the tdss service in gmer. I was wondering if I should also remove the module and other associated registry files, but haven't taken any of that action yet. Thank you for your quick responses! Attached is the gmerlog post deletion. quote name='Raid' date='Nov 15 2008, 12:50 AM' post='34946'] Hello Matthewc, I have had a chance to examine your GMER log, and it seems you are indeed infected with a RootKit.TDSS variant. If you can, please visit here and follow the instructions. http://www.gmer.net/faq.php Just in case you can't access it via website url, here's the IP http://204.152.184.145/faq.php Replace the rootkit.rustok with tdss, The instructions are the same regardless of this particular variant we're dealing with. gmerlog.zip gmerlog.zip
  6. Hi, thanks for your help. Here's the gmerlog. gmerlog.zip gmerlog.zip
  7. Hi, Our home computer was hit with viruses a few days ago and thanks to Malwarebytes a lot of things have been cleaned up. However, there is one trojan that keeps resurfacing after the computer is booted up... Malwarebytes' Anti-Malware 1.30 Database version: 1397 Windows 5.1.2600 Service Pack 3 11/14/2008 5:14:12 AM mbam-log-2008-11-14 (05-14-12).txt Scan type: Quick Scan Objects scanned: 48255 Time elapsed: 5 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-11-14 05:45:58 PROTECTIONS: 2 MALWARE: 10 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== Symantec Antivirus Corporate Edition 8.0 No Yes Norton Antivirus Edition 7.5 No No ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00003805 adware/ezula Adware No 0 Yes No hkey_classes_root\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52} 00003805 adware/ezula Adware No 0 Yes No hkey_local_machine\software\classes\typelib\{e0d3b292-a0b0-4640-975c-2f882e039f52} 00003805 adware/ezula Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} 00003805 adware/ezula Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} 00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search page_bak 00020302 adware/ncase Adware No 0 Yes No hkey_local_machine\software\180solutions 00020302 adware/ncase Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\search bar_bak 00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357} 00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} 00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468} 00020942 adware/exact.bargainbuddy Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468} 00024383 spyware/clearsearch Spyware No 1 Yes No HKEY_CLASSES_ROOT\Interface\{0f2a4adc-dabf-4980-8db4-19f67d7b1f95} 00035917 adware/ist.sidefind Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\tsl installer 00039204 adware/cws Adware No 0 Yes No hkey_current_user\software\microsoft\internet explorer\main\start page_bak 00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\swrt01.rt 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{e0d3b292-a0b0-4640-975c-2f882e039f52} 00039209 adware/virtualbouncer Adware No 0 Yes No hkey_local_machine\software\classes\swrt01.rt 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{d0c29a75-7146-4737-98ee-bc4d7cf44af9} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{d52433a9-a44c-43ab-a013-24b3c756dd2b} 00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\clsid\{d52433a9-a44c-43ab-a013-24b3c756dd2b} 00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\clsid\{8940e505-72c6-44de-be85-1d746780efbf} 00039209 adware/virtualbouncer Adware No 0 Yes No hkey_classes_root\clsid\{417386c3-8d4a-4611-9b91-e57e89d603ac} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{417386c3-8d4a-4611-9b91-e57e89d603ac} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{795398d0-dc2f-4118-a69c-592273ba9c2b} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{5e594162-60a9-487d-84b8-dbdd716cb862} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{10d7db96-56dc-4617-8eab-ec506abe6c7e} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{b288f21c-a144-4ca2-9b70-8afa1fae4b06} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{6cdc3337-01f7-4a79-a4af-0b19303cc0be} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{8940e505-72c6-44de-be85-1d746780efbf} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{6e0ed53c-9908-49ed-b055-7cb31b162577} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{9bcdd51b-4a7b-446c-8452-d32d38004582} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{a986f4db-792e-4571-8974-0bb6e024766f} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{bccab53d-0895-40c3-a942-a03538ce227a} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{49db48ff-02b5-4645-b676-94a4df1aa026} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{c0f88e9e-dceb-4655-968a-ae508a677c39} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{830d3aed-2fa9-454f-b266-d931862bbf34} 00039209 adware/virtualbouncer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273} 00041904 adware/sidesearch Adware No 0 Yes No hkey_local_machine\software\lycos 00043761 adware/addestroyer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} 00043761 adware/addestroyer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} 00043761 adware/addestroyer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} 00043761 adware/addestroyer Adware No 0 Yes No hkey_classes_root\swlad1.swlad 00043761 adware/addestroyer Adware No 0 Yes No hkey_classes_root\popoops2.popoops 00043761 adware/addestroyer Adware No 0 Yes No hkey_local_machine\software\classes\swlad1.swlad 00043761 adware/addestroyer Adware No 0 Yes No hkey_local_machine\software\classes\popoops2.popoops 00043761 adware/addestroyer Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} 00046761 adware/xupiter Adware No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{805AF2C8-98C7-4F3C-A7C9-25EBF27567F3} ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location s ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description s ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:47:32 AM, on 11/14/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINDOWS\system32\cba\pds.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cba\xfr.exe C:\WINDOWS\system32\MsgSys.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.com/ O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [imjpmig] C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intel File Transfer - Intel
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.