elphaba
-
Posts
4 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by elphaba
-
-
Report 2 of 3 - ActiveScan
(Directions posted on this forum for how to get report from a Panda Scan are out of date. I collected the following
by selecting an option for "export to". FYI - There was no "my computer" option for the scan. If I remember correctly, I selected "full scan".)
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-11-24 07:50:50
PROTECTIONS: 2
MALWARE: 5
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Windows Defender 1.1.4104.0 No No
Zone Alarm Security Suite 7.0.483.000 No No
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00020302 adware/ncase Adware No 0 Yes No c:\windows\system32\fleok
00024343 adware/keenvalue Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlSearchHooks\{0199df25-9820-4bd5-9fee-5a765ab4371e}
00047660 adware/sqwire Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\The Man\Cookies\the man@did-it[2].txt
03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP101\A0018387.sys
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location F
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description F
;===============================================================================
================================================================================
=
===================
182048 HIGH MS07-069 F
182043 HIGH MS07-064 F
120815 HIGH MS06-022 F
;===============================================================================
================================================================================
=
===================
-
(I ran sysbot search & destroy - didn't see in instructions anywhere that log output required for that, hope I didn't read wrong)
Here is output from Malwarebytes' Anti-Malware program (I installed new version even though it was already installed on my system, your instructions seemed to indicate you wanted us to do a new download of the program...)
Malwarebytes' Anti-Malware 1.30
Database version: 1419
Windows 5.1.2600 Service Pack 2
11/23/2008 7:09:15 PM
mbam-log-2008-11-23 (19-09-15).txt
Scan type: Quick Scan
Objects scanned: 57531
Time elapsed: 7 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Following a Malwarebyte scan, the results show that "Trojan Downloader" is present. I remove it, and reboot but the next scan finds it again. How can I remove this trojan completely.
Same thing is happening on my system. I just noticed that I think I've been removing this same worm for some time. I just didn't notice it was the same one everytime I scan. I read up on it at Symantec and found that it isn't considered a "very dangerous" worm (or virus?) but that doesn't keep me from wanting it removed.
I checked the processes that first come on line when I boot up. lsass.exe is one of them. Seems that this is a legitimate process and not one you want to remove but it also seems that that is one that the downloader trojan hijacks in the process of it doing its thing.
I found info at symantec interesting, maybe helpful. While trying to see what we hear back on this forum, I plan to try some of their suggestions by doing a full scan in "safe mode". Also, by adding the three hosts they specify as common hosts used by the downloader trojan into my hosts file (see www.mvps.org if you want more info on your hosts file). Symantec's virus info on the downloader trojan is at: http://www.symantec.com/security_response/...-011710-3138-99
Even if you don't have the full solution, any hints or tips are welcome. I'm also trying to search this forum for others who have had this same problem, I've gotten numerous hits on "downloader trojan" and lsass , trying to work several paths of troubleshooting at the same time.
elphaba's trojan.downloader problem - report 1 of 3
in Resolved Malware Removal Logs
Posted
Report 3 of 3 - HiJackThis (didn't see the "Generate StartupList log" option to click on but I did get this info in notepad. Hope that's correct)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:11 AM, on 11/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\downloads\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.pandasecurity.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://update.zonelabs.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192905573843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192905533796
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 8879 bytes