Jump to content

ajtao

Members
 View Profile  See their activity

  • Posts

    2

  • Joined

  • Last visited

 Content Type 

Posts posted by ajtao

    help with malware

    in Resolved Malware Removal Logs

    Posted

    Thanks very much for the update and help. Here are the 3 logfiles:

    EsetLog:

    ----------

    # version=4

    # OnlineScanner.ocx=1.0.0.635

    # OnlineScannerDLLA.dll=1, 0, 0, 79

    # OnlineScannerDLLW.dll=1, 0, 0, 78

    # OnlineScannerUninstaller.exe=1, 0, 0, 49

    # vers_standard_module=3717 (20081225)

    # vers_arch_module=1.064 (20080214)

    # vers_adv_heur_module=1.064 (20070717)

    # EOSSerial=4ca73f47c017924fabd1381a759b3e35

    # end=finished

    # remove_checked=true

    # unwanted_checked=false

    # utc_time=2008-12-25 07:25:47

    # local_time=2008-12-25 11:25:47 (-0800, Pacific Standard Time)

    # country="United States"

    # osver=5.1.2600 NT Service Pack 3

    # scanned=345330

    # found=4

    # scan_time=3595

    C:\Documents and Settings\Andrew Tao\Application Data\Auslogics\Rescue\One Button Checkup\081205090727390.rsc Win32/Toolbar.AskSBar application (deleted) 00000000000000000000000000000000

    C:\Documents and Settings\Andrew Tao\Application Data\Auslogics\Rescue\One Button Checkup\081205090727390.rsc

    help with malware

    in Resolved Malware Removal Logs

    Posted

    Hi,

    I've recently been hit by what appears to be browser hijacks. I've run the 3 tools outlined and will post their logs below ...

    Thanks in advance for any help!

    -AJ

    1. MBAM scan

    Malwarebytes' Anti-Malware 1.31

    Database version: 1531

    Windows 5.1.2600 Service Pack 3

    12/22/2008 8:11:47 AM

    mbam-log-2008-12-22 (08-11-47).txt

    Scan type: Quick Scan

    Objects scanned: 56170

    Time elapsed: 6 minute(s), 20 second(s)

    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 2

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 0

    Memory Processes Infected:

    (No malicious items detected)

    Memory Modules Infected:

    (No malicious items detected)

    Registry Keys Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:

    (No malicious items detected)

    Registry Data Items Infected:

    (No malicious items detected)

    Folders Infected:

    (No malicious items detected)

    Files Infected:

    (No malicious items detected)

    2. Panda Active Scan

    ;*******************************************************************************

    ********************************************************************************

    *

    *******************

    ANALYSIS: 2008-12-22 09:36:13

    PROTECTIONS: 1

    MALWARE: 8

    SUSPECTS: 5

    ;*******************************************************************************

    ********************************************************************************

    *

    *******************

    PROTECTIONS

    Description Version Active Updated

    ;===============================================================================

    ================================================================================

    =

    ===================

    CA Anti-Virus 10.0.0.163 No Yes

    ;===============================================================================

    ================================================================================

    =

    ===================

    MALWARE

    Id Description Type Active Severity Disinfectable Disinfected Location

    ;===============================================================================

    ================================================================================

    =

    ===================

    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@atdmt[1].txt

    00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@com[1].txt

    00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@server.iad.liveperson[2].txt

    00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@ads.pointroll[1].txt

    00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@questionmarket[2].txt

    00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@did-it[1].txt

    00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vdvsbfe9.default\cookies.txt[.atwola.com/]

    04434951 HackTools No 0 Yes No C:\Documents and Settings\Andrew Tao\Local Settings\Temporary Internet Files\Content.IE5\TX9IGQW5\apstpldr.dll[1].htm

    ;===============================================================================

    ================================================================================

    =

    ===================

    SUSPECTS

    Sent Location t

    ;===============================================================================

    ================================================================================

    =

    ===================

    No C:\Program Files\Trend Micro\HijackThis\backups\backup-20081221-201428-601.dll t

    No C:\Program Files\RealVNC\VNC4\vncconfig.exe t

    No C:\Program Files\RealVNC\VNC4\vncviewer.exe t

    No C:\WINDOWS\system32\qmimmdqr.dll t

    No C:\WINDOWS\system32\rprdwz.dll t

    ;===============================================================================

    ================================================================================

    =

    ===================

    VULNERABILITIES

    Id Severity Description t

    ;===============================================================================

    ================================================================================

    =

    ===================

    ;===============================================================================

    ================================================================================

    =

    ===================

    3. HiJack This scan

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 10:07:16 AM, on 12/22/2008

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.6000.16762)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

    C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\RUNDLL32.EXE

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\SOUNDMAN.EXE

    C:\Program Files\Logitech\MouseWare\system\em_exec.exe

    C:\Program Files\CA\CA Internet Security Suite\casc.exe

    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\Documents and Settings\Andrew Tao\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    C:\WINDOWS\system32\mstsc.exe

    C:\Program Files\Mozilla Firefox\firefox.exe

    C:\WINDOWS\system32\notepad.exe

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear

    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

    O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"

    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

    http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB24D4D-A53B-4D5A-B593-4DDD9C560002}: Domain = nvidia.com

    O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB24D4D-A53B-4D5A-B593-4DDD9C560002}: NameServer = 172.16.229.26,172.16.229.26

    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nvidia.com

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nvidia.com

    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

    O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

    O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe

    O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

    O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

    O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

    --

    End of file - 7072 bytes

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.