Jump to content

Recommended Posts

Have Forefront client security, ran quick scan picked up a things but didn't list them because computer was running funky. Removed 3 items, rebooted and ran a quick scan but didn't pick anything up off of the quick scan, however was still getting pop ups after the fact. Ran a hijack log and had to give up the computer to the user and won't have access until 4PM this afternoon but would like to know what to do as soon as i get on that computer, here is the hijack log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:52:31 AM, on 12/3/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\AMT\atchksrv.exe

c:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe

C:\WINDOWS\system32\ifxspmgt.exe

C:\WINDOWS\system32\ifxtcs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\IfxPsdSv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TelemetDataSource\TelemetQuoteService.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Intel\AMT\atchk.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\blp\API\OFFICE~1\Bloomberg.UIServer.exe

C:\blp\API\OFFICE~1\Bloomberg.RtdServer.exe

C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe

C:\blp\Wintrv\wintrv.exe

C:\Program Files\eSignal\Winsig.exe

C:\Program Files\eSignal\WINROS.EXE

C:\Program Files\Trillian\trillian.exe

C:\blp\Wintrv\SmartClient\blpsmarthost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://*.hub.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.bearprime.com/bpderiv/common/shared/smsx.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198067108402

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221689368379

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =

O17 - HKLM\Software\..\Telephony: DomainName =

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

O20 - AppInit_DLLs: C:\WINDOWS\system32\dasabisi.dll c:\windows\system32\hipatava.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hipatava.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hipatava.dll

O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\ifxspmgt.exe

O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\ifxtcs.exe

O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\WINDOWS\system32\IfxPsdSv.exe

O23 - Service: TelemetQuoteService - Telemet America, Inc - C:\Program Files\TelemetDataSource\TelemetQuoteService.exe

O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--

End of file - 10597 bytes

Link to post
Share on other sites

Hi. :)

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Thank you very much!! Here is the log for the first time. I have since rebooted and am running the quick scan again. So far after the reboot Automatic Updates started by itself. Something before was causing it to be disabled. So i'm crossing my fingers. Thanks, please tell me what to do next.

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 3

12/3/2008 10:18:23 PM

mbam-log-2008-12-03 (22-18-23).txt

Scan type: Quick Scan

Objects scanned: 67812

Time elapsed: 25 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 5

Registry Keys Infected: 6

Registry Values Infected: 5

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 13

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\dumenebi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\fadokase.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\humerago.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\rahobofo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\dasabisi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21c203a5-85ee-40c9-b7f4-3f62d763f15c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{21c203a5-85ee-40c9-b7f4-3f62d763f15c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{21c203a5-85ee-40c9-b7f4-3f62d763f15c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38e93e88 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fisuguwihu (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm3bda0d14 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\rahobofo.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\rahobofo.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\dasabisi.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\dasabisi.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\dasabisi.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\dumenebi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\ibenemud.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fufajoku.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ukojafuf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hevolofo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ofoloveh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sezulono.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\onoluzes.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\humerago.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\rahobofo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\fadokase.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\dasabisi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\jotogeni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 3

12/4/2008 7:02:03 AM

mbam-log-2008-12-04 (07-02-03).txt

Scan type: Quick Scan

Objects scanned: 67369

Time elapsed: 26 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.