stephenite Posted October 15, 2009 ID:143303 Share Posted October 15, 2009 http://www.malwarebytes.org/forums/index.php?showtopic=27851Following the instructions from above thread please see below for logs from Malwarebytes and Hijack. Would really appreciate any assistance.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:50:14 PM, on 15/10/2009Platform: Windows 2003 SP2 (WinNT 5.02.3790)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Dfssvc.exeC:\WINDOWS\System32\dns.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\WINDOWS\System32\ismserv.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exeC:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeC:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ntfrs.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\WINDOWS\System32\wins.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\McAfee\ePolicy Orchestrator\Apache2\bin\Apache.exeC:\Program Files\McAfee\ePolicy Orchestrator\EventParser.exeC:\PROGRA~1\McAfee\EPOLIC~1\Apache2\bin\rotatelogs.exeC:\Program Files\McAfee\ePolicy Orchestrator\Apache2\bin\Apache.exeC:\PROGRA~1\McAfee\EPOLIC~1\Server\bin\tomcat5.exeC:\Program Files\McAfee\ePolicy Orchestrator\srvmon.exeC:\PROGRA~1\McAfee\EPOLIC~1\Apache2\bin\rotatelogs.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\rdpclip.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\Program Files\McAfee\Common Framework\UdaterUI.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Documents and Settings\All Users\Application Data\98fd2aa\WP98fd.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\McAfee\Common Framework\McTray.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Java\jre1.6.0_03\bin\jucheck.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://203.111.95.212R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.111.95.212R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://203.111.95.212R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"O1 - Hosts: 74.125.45.100 www.securesoftwarebill.comand also see attached file for malwarebytes (too long)mbam_log_2009_10_15__13_16_19_.txt Link to post Share on other sites More sharing options...
stephenite Posted October 15, 2009 Author ID:143346 Share Posted October 15, 2009 I managed to resolve this issue - cannot see an option to delete the post. Thanks, Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 15, 2009 Root Admin ID:143404 Share Posted October 15, 2009 Well I'll close your post and leave you with this then.So how did I get infected in the first place? Link to post Share on other sites More sharing options...
Recommended Posts