ajtao

Members

View Profile See their activity

Posts
2
Joined
December 22, 2008
Last visited
February 13, 2009

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by ajtao

help with malware

ajtao replied to ajtao's topic in Resolved Malware Removal Logs

Thanks very much for the update and help. Here are the 3 logfiles: EsetLog: ---------- # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3717 (20081225) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=4ca73f47c017924fabd1381a759b3e35 # end=finished # remove_checked=true # unwanted_checked=false # utc_time=2008-12-25 07:25:47 # local_time=2008-12-25 11:25:47 (-0800, Pacific Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=345330 # found=4 # scan_time=3595 C:\Documents and Settings\Andrew Tao\Application Data\Auslogics\Rescue\One Button Checkup\081205090727390.rsc Win32/Toolbar.AskSBar application (deleted) 00000000000000000000000000000000 C:\Documents and Settings\Andrew Tao\Application Data\Auslogics\Rescue\One Button Checkup\081205090727390.rsc
- December 25, 2008
- 4 replies
help with malware

ajtao posted a topic in Resolved Malware Removal Logs

Hi, I've recently been hit by what appears to be browser hijacks. I've run the 3 tools outlined and will post their logs below ... Thanks in advance for any help! -AJ 1. MBAM scan Malwarebytes' Anti-Malware 1.31 Database version: 1531 Windows 5.1.2600 Service Pack 3 12/22/2008 8:11:47 AM mbam-log-2008-12-22 (08-11-47).txt Scan type: Quick Scan Objects scanned: 56170 Time elapsed: 6 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) 2. Panda Active Scan ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-12-22 09:36:13 PROTECTIONS: 1 MALWARE: 8 SUSPECTS: 5 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== CA Anti-Virus 10.0.0.163 No Yes ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@atdmt[1].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@com[1].txt 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@server.iad.liveperson[2].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@ads.pointroll[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@questionmarket[2].txt 00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@did-it[1].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vdvsbfe9.default\cookies.txt[.atwola.com/] 04434951 HackTools No 0 Yes No C:\Documents and Settings\Andrew Tao\Local Settings\Temporary Internet Files\Content.IE5\TX9IGQW5\apstpldr.dll[1].htm ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location t ;=============================================================================== ================================================================================ = =================== No C:\Program Files\Trend Micro\HijackThis\backups\backup-20081221-201428-601.dll t No C:\Program Files\RealVNC\VNC4\vncconfig.exe t No C:\Program Files\RealVNC\VNC4\vncviewer.exe t No C:\WINDOWS\system32\qmimmdqr.dll t No C:\WINDOWS\system32\rprdwz.dll t ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description t ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== 3. HiJack This scan Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:07:16 AM, on 12/22/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\CA\CA Internet Security Suite\casc.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe C:\Program Files\Cisco Systems\VPN Client\vpngui.exe C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\Andrew Tao\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\mstsc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB24D4D-A53B-4D5A-B593-4DDD9C560002}: Domain = nvidia.com O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB24D4D-A53B-4D5A-B593-4DDD9C560002}: NameServer = 172.16.229.26,172.16.229.26 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nvidia.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nvidia.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe -- End of file - 7072 bytes
- December 22, 2008
- 4 replies

Sign In

ajtao

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by ajtao

help with malware

help with malware

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information