Jump to content

Stolen.data???


Recommended Posts

Ran malware on friends laptop and the log came up with the following. I fixed the files. Do I have anything else to worry about? There are several users but infected files came up for only "1" user.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5056

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

11/5/2010 6:41:42 PM

mbam-log-2010-11-05 (18-41-42).txt

Scan type: Quick scan

Objects scanned: 170311

Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 65

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\cock\user@2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@2o7[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@ad.yieldmanager[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@ad.yieldmanager[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@ad.yieldmanager[3].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@adbrite[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@adbrite[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@ads.bridgetrack[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@bankofamerica[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@barclaybankdelaware.122.2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@capitalone[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@capitalone[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@cards.chase[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@cdn4.specificclick[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@cdn4.specificclick[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@chaseonline.chase[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@chaseonline.chase[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@chase[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@chase[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@content.yieldmanager[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@content.yieldmanager[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@content.yieldmanager[3].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@dhgmanagement.112.2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@edge.ru4[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@edge.ru4[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@healthwiseorg.112.2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@highbeam.122.2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@homestore.122.2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@juniper[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@juniper[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@malaysiaairlines.112.2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@marriottinternational.122.2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@revsci[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@revsci[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@rm.yieldmanager[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@roiservice[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@sales.liveperson[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@sales.liveperson[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@sales.liveperson[3].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@servicing.capitalone[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@servicing.capitalone[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@specificclick[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@specificclick[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@tradekey[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@tradekey[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@traveladvertising[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@traveladvertising[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@tribalfusion[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@tribalfusion[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@triseptsolutions.122.2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@vendorweb.citibank[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@vendorweb.citibank[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@virginamerica.112.2o7[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@wamu[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@wamu[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@webtrends.chase[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@webtrends.chase[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@webtrends.chase[3].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@www.bankofamerica[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@www.juniper[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@www.juniper[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@www.juniper[3].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@www.tradekey[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@yieldmanager[1].txt (Stolen.Data) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\cock\user@yieldmanager[2].txt (Stolen.Data) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff

Hi,

Malwarebytes should also remove the main loader related with this Banker trojan. (appconf32.exe )

So can you rescan with malwarebytes and verify if the log comes up clean next time?

Also,

* Download HijackThis from here:

http://free.antivirus.com/hijackthis/

HijackThis will open after install. Press the Scan button below.

This will start the scan and open a log.

Copy and paste the contents of the log in your next reply.

Link to post
Share on other sites

Hi,

Malwarebytes should also remove the main loader related with this Banker trojan. (appconf32.exe )

So can you rescan with malwarebytes and verify if the log comes up clean next time?

Also,

* Download HijackThis from here:

http://free.antivirus.com/hijackthis/

HijackThis will open after install. Press the Scan button below.

This will start the scan and open a log.

Copy and paste the contents of the log in your next reply.

I just did a search for "appconf32.exe" and nothing came up would I still need to anything?

Thanks!

Link to post
Share on other sites

Yes, it's always a good idea to post a new Malwarebytes log and HijackThis log if you want to be certain there are no leftovers anymore.

Ok here are the logs from Hijack and Malwarebytes.

Thanks!

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 1:27:18 PM, on 11/6/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\1XConfig.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\BacsTray.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [urlLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [iPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [bacstray] BacsTray.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [brStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-21-1535801421-1010644667-692029220-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Narendra')

O4 - HKUS\S-1-5-21-1535801421-1010644667-692029220-1005\..\Run: [Google Update] "C:\Documents and Settings\Narendra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'Narendra')

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\iobit\advanced systemcare 3\spictrl.dll

O10 - Unknown file in Winsock LSP: c:\program files\iobit\advanced systemcare 3\spictrl.dll

O10 - Unknown file in Winsock LSP: c:\program files\iobit\advanced systemcare 3\spictrl.dll

O10 - Unknown file in Winsock LSP: c:\program files\iobit\advanced systemcare 3\spictrl.dll

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9730 bytes

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5062

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

11/6/2010 1:39:07 PM

mbam-log-2010-11-06 (13-39-07).txt

Scan type: Quick scan

Objects scanned: 170548

Time elapsed: 10 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Staff

Hi,

This looks OK here.

This trojan was mainly responsible for stealing passwords and other sensitive information, so I suggest you change all your passwords (this mainly for online banking sites etc).

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Hi,

This looks OK here.

This trojan was mainly responsible for stealing passwords and other sensitive information, so I suggest you change all your passwords (this mainly for online banking sites etc).

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Thanks! Would everyone who uses the pc need to change passwords or just the user which showed up in the original scan?

Thanks again for all your help.

Link to post
Share on other sites

  • 4 months later...

Hi miekiemoes,

Since my last post everything has been clean. As scheduled I ran malwarebytes and spybot last night and spybot told me I had "win32.bancos" trojan? I don't get it because Malwarebytes is running in protection mode (w/latest updates) all the time on my pc blocking sites so how would I get this?

Here is the malwarebytes log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6256

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/3/2011 10:54:37 AM

mbam-log-2011-04-03 (10-54-37).txt

Scan type: Quick scan

Objects scanned: 179847

Time elapsed: 13 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I also ran the HTL

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:01:52 AM, on 4/3/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17095)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\1XConfig.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\system32\BacsTray.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Brownie\BrstsWnd.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Apoint\Apntex.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\Trend Micro\Browser Guard\BGUI.exe

C:\Program Files\Trend Micro\Browser Guard\tmiegsrv.exe

C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

C:\Documents and Settings\Viraj\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: IEGBH0 - {9F3209E2-334B-41E9-B09C-703F398742E7} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: TMIEGBHO - {F1AD4A42-BA52-47BC-89DF-3F68F24C017F} - C:\Program Files\Trend Micro\Browser Guard\TMAMS.dll

O3 - Toolbar: TMBGBAR TOOLBAR - {C8137A8D-415D-450C-A1B1-D0C519D45296} - C:\Program Files\Trend Micro\Browser Guard\tmieg.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [iPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [bacstray] BacsTray.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [brStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Trend Micro Browser Guard] "C:\Program Files\Trend Micro\Browser Guard\BGUI.EXE"

O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8687 bytes

Thanks in advance!

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.