Jump to content

Pre-HJT Log Files

jnieto0560

By jnieto0560
in Resolved Malware Removal Logs

 Share

Recommended Posts

jnieto0560

jnieto0560

Posted
Posted

All,

I followed the instructions on teh pre-hjt post instructions. Well, almost all of them I actually ran Malwarebytes first and then Spybot S&D, I hope that doesnt mess things up to bad. In any event, here is the log file for MBAM, I am currently running PandaActive Scan and will post the logs from that when it is done and will also follow up with the HJT logs.

I'd appreciate any help in cleaning up my laptop! I am on day two of this mess and am getting ready for the dreaded "re-image" of the laptop. Thanks!

J

MBAM Log

-------------

Malwarebytes' Anti-Malware 1.31

Database version: 1526

Windows 5.1.2600 Service Pack 3

12/20/2008 10:36:35 PM

mbam-log-2008-12-20 (22-36-35).txt

Scan type: Quick Scan

Objects scanned: 73932

Time elapsed: 18 minute(s), 57 second(s)

Memory Processes Infected: 3

Memory Modules Infected: 5

Registry Keys Infected: 41

Registry Values Infected: 9

Registry Data Items Infected: 4

Folders Infected: 7

Files Infected: 68

Memory Processes Infected:

C:\Documents and Settings\Administrator\Local Settings\temp\csrssc.exe (Trojan.Clicker) -> Unloaded process successfully.

C:\Program Files\WebMediaViewer\qttask.exe (Trojan.Zlob) -> Unloaded process successfully.

C:\Program Files\WebMediaViewer\qttaskm.exe (Trojan.Zlob) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINNT\system32\kshqloin.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINNT\system32\vtUnKDWO.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINNT\system32\pavmyq.dll (Trojan.Vundo) -> Delete on reboot.

\\?\globalroot\Device\__max++>\F40C2779.dll (Rootkit.Zlob) -> Delete on reboot.

C:\WINNT\system32\tyshb36rfjdf.dll (Trojan.Fakealert) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{840b6a92-6279-4f1b-8c64-016b74193ab7} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{840b6a92-6279-4f1b-8c64-016b74193ab7} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2ecca339-c274-40e3-a582-ef4c0e917639} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e20e95df-4c48-4b28-83df-387dbbce4f0d} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{840b6a92-6279-4f1b-8c64-016b74193ab7} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Fakealert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Fakealert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\anvtrgrwarning.warningbho (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{bae92f67-539c-41cd-9183-162bb40aaa0c} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{5c8b2a9c-24a0-4991-a74b-1e4931bd3a57} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{df3f06c6-d443-48a8-bdf2-4e31f0554ebf} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{95e9bcc0-2e84-4500-8a9c-0b7a96769124} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{95e9bcc0-2e84-4500-8a9c-0b7a96769124} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95e9bcc0-2e84-4500-8a9c-0b7a96769124} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\anvtrgrwarning.warningbho.1 (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{22C447D3-73A8-E1C7-C391-21BE4338CEBC} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\navigator (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\navigator (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\navigator (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\anvtrgrsoft (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Alert Manager (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Toolbar (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AnvTrgrsoft (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14c271b9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{2ecca339-c274-40e3-a582-ef4c0e917639} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jnskdfmf9eldfd (Trojan.Clicker) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anvtrgr (Rogue.VirusHeat) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\quicktime task (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: c:\winnt\system32\vtunkdwo -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\winnt\system32\vtunkdwo -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Start Menu\\Programs\AntivirusTrigger 2.1 (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\Program Files\AnvTrgrsoftware (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\Documents and Settings\jnieto\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\jnieto\Start Menu\Programs\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:

C:\WINNT\system32\vtUnKDWO.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINNT\system32\OWDKnUtv.ini (Trojan.Vundo.H) -> Delete on reboot.

C:\WINNT\system32\OWDKnUtv.ini2 (Trojan.Vundo.H) -> Delete on reboot.

C:\WINNT\system32\kshqloin.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINNT\system32\niolqhsk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINNT\system32\tyshb36rfjdf.dll (Trojan.Zlob.H) -> Delete on reboot.

C:\WINNT\system32\ijofmsu.dll (Trojan.Zlob.H) -> Delete on reboot.

C:\Documents and Settings\Administrator\Application Data\Microsoft\services.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

C:\WINNT\system32\pavmyq.dll (Trojan.Vundo) -> Delete on reboot.

\\?\globalroot\Device\__max++>\F40C2779.dll (Rootkit.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\temp\csrssc.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Program Files\AnvTrgrsoftware\AnvTrgr.exe (Rogue.VirusHeat) -> Quarantined and deleted successfully.

C:\Program Files\AnvTrgrsoftware\AnvTrgrWarning.dll (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\WINNT\fd.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\bqucpjih.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINNT\system32\TDSSarxx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINNT\system32\TDSSvoql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINNT\system32\Drivers\TDSSpqlt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\temp\lilC.exe (Zlob.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\temp\~nsu.tmp\Au_.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8RSBUDWF\light-player.v.3.117[1].exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Application Data\Microsoft\10548.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Application Data\Microsoft\28694.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\Components\iamfamous.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\Documents and Settings\jnieto\Local Settings\temp\csrssc.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Documents and Settings\jnieto\Local Settings\temp\tmp17.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\jnieto\Application Data\Microsoft\25452.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\browseu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\myc.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\qttask.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\qttaskm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\qttasku.exe (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\WebMediaViewer\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Program Files\extravideo\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Start Menu\\Programs\AntivirusTrigger 2.1\AntivirusTrigger 2.1.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\Program Files\AnvTrgrsoftware\uninst.exe (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\Documents and Settings\jnieto\Application Data\gadcom\gadcom.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\jnieto\Start Menu\Programs\extravideo\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\WINNT\Downloaded Program Files\atmccli.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\Downloaded Program Files\atmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\drivers\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\WINNT\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINNT\system32\tuvtusPI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Favorites\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Start Menu\AntivirusTrigger 2.1.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Desktop\AntivirusTrigger 2.1.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusTrigger 2.1.lnk (Rogue.VirusTrigger) -> Quarantined and deleted successfully.

C:\WINNT\temp\tempo-2E1.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Online Spyware Test.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\jnieto\Application Data\Microsoft\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

C:\WINNT\system32\TDSSdxcp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINNT\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Quarantined and deleted successfully.

--------

End MBAM LOG

Link to post
Share on other sites
jnieto0560

jnieto0560

Posted
  • Author
Posted

Here is a copy of the Panda Actove Scan Log

Pandaactive Scan

---------------------

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-21 01:45:52

PROTECTIONS: 1

MALWARE: 18

SUSPECTS: 17

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Trend Micro OfficeScan Antivirus 8.0 Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms track system

00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms juan

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Cookies\jnieto@doubleclick[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Cookies\jnieto@atdmt[1].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Cookies\jnieto@tribalfusion[2].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Local Settings\temp\Cookies\jnieto@com[2].txt

00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Local Settings\temp\Cookies\jnieto@azjmp[2].txt

00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Local Settings\temp\Cookies\jnieto@www.burstbeacon[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Local Settings\temp\Cookies\jnieto@server.iad.liveperson[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Local Settings\temp\Cookies\jnieto@ads.pointroll[1].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Cookies\jnieto@overture[2].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Cookies\jnieto@questionmarket[2].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\jnieto\Local Settings\temp\Cookies\jnieto@atwola[2].txt

00458090 Adware/VideoAccessCodec Adware No 0 Yes No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\SmitfraudFix.zip[smitfraudFix/VACFix.exe]

00458090 Adware/VideoAccessCodec Adware No 0 Yes No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\SmitfraudFix\SmitfraudFix\VACFix.exe

00484705 Application/IEDefender HackTools No 0 Yes No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\New\Malwarefix\smitfraudfix\IEDFix.C.exe

01010890 Generic Malware Virus/Trojan No 0 Yes No D:\My Documents\MYAPPS\music\Bear Share\BS230.exe

01010890 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\jnieto\My Documents\MYAPPS\music\Bear Share\BS230.exe

03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\New\Malwarefix\smitfraudfix\SmitfraudFix.exe

03796505 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\SmitfraudFix.zip[smitfraudFix/IEDFix.C.exe]

03796505 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\SmitfraudFix\SmitfraudFix\IEDFix.C.exe

04199390 Trj/Downloader.MDW Virus/Trojan No 1 Yes No D:\My Documents\MYAPPS\Web Editor\fp2006-final-3.00-setup.zip[fp2006-final-3.00-setup.exe]

04199390 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Documents and Settings\jnieto\My Documents\MYAPPS\Web Editor\fp2006-final-3.00-setup.zip[fp2006-final-3.00-setup.exe]

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location Vq

;===============================================================================

================================================================================

=

===================

No C:\WINNT\System32\cjaxuj.dll Vq

No C:\WINNT\system32\cjaxuj.dll Vq

No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\New\Malwarefix\smitfraudfix\404Fix.exe

No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\New\Malwarefix\smitfraudfix\Agent.OMZ.Fix.exe

No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\New\Malwarefix\smitfraudfix\VACFix.exe

No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\SmitfraudFix\SmitfraudFix\404Fix.exe

No C:\Documents and Settings\jnieto\My Documents\MYAPPS\AntiV AntiAd\Malware Fix\SmitfraudFix.zip[smitfraudFix/404Fix.exe]

No C:\Documents and Settings\jnieto\My Documents\MYAPPS\CCNA\Boson - Router Simulator 4.30 & Crack CCNA CCNP CCIE.rar[boson.Router.Simulator.4.30.&.crack.CCNA.CCNP.CCIE\e_011516\Boson Router Simulator 4.00.exe]

No C:\Documents and Settings\jnieto\My Documents\MYAPPS\CCNA\Boson - Router Simulator 4.30 & Crack CCNA CCNP CCIE.rar[boson.Router.Simulator.4.30.&.crack.CCNA.CCNP.CCIE\e_011516\Boson Router Simulator v4.03 Crack.exe]

No C:\Documents and Settings\jnieto\My Documents\MYAPPS\CCNA\Bosun\Boson - Router Simulator 4.30 & Crack CCNA CCNP CCIE\Boson.Router.Simulator.4.30.&.crack.CCNA.CCNP.CCIE\e_011516\Boson Router Simulator 4.00.exe

No C:\Documents and Settings\jnieto\My Documents\MYAPPS\CCNA\Bosun\Boson - Router Simulator 4.30 & Crack CCNA CCNP CCIE\Boson.Router.Simulator.4.30.&.crack.CCNA.CCNP.CCIE\e_011516\Boson Router Simulator v4.03 Crack.exe

No C:\WINNT\system32\cjaxuj.dll Vq

No C:\WINNT\system32\klhcfpla.dll Vq

No D:\My Documents\MYAPPS\CCNA\Boson - Router Simulator 4.30 & Crack CCNA CCNP CCIE.rar[boson.Router.Simulator.4.30.&.crack.CCNA.CCNP.CCIE\e_011516\Boson Router Simulator v4.03 Crack.exe]

No D:\My Documents\MYAPPS\CCNA\Boson - Router Simulator 4.30 & Crack CCNA CCNP CCIE.rar[boson.Router.Simulator.4.30.&.crack.CCNA.CCNP.CCIE\e_011516\Boson Router Simulator 4.00.exe]

No D:\My Documents\MYAPPS\CCNA\Bosun\Boson - Router Simulator 4.30 & Crack CCNA CCNP CCIE\Boson.Router.Simulator.4.30.&.crack.CCNA.CCNP.CCIE\e_011516\Boson Router Simulator 4.00.exe

No D:\My Documents\MYAPPS\CCNA\Bosun\Boson - Router Simulator 4.30 & Crack CCNA CCNP CCIE\Boson.Router.Simulator.4.30.&.crack.CCNA.CCNP.CCIE\e_011516\Boson Router Simulator v4.03 Crack.exe

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description Vq

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

--------------------

End Pandaactive scan

Link to post
Share on other sites
jnieto0560

jnieto0560

Posted
  • Author
Posted

HiJackthis Log

----------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:53:05 AM, on 12/21/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\SCardSvr.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Cisco Systems\cvpnd.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINNT\system32\hkcmd.exe

C:\WINNT\system32\igfxpers.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINNT\TEMP\TV28D5.EXE

C:\WINNT\System32\alg.exe

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXYNS167\HiJackThis[1].exe

C:\WINNT\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whatwashomepage.com/?q=http://w...ww.tc.fluke.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sprint SmartView] "C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe" -a

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\jnieto\LOCALS~1\Temp\winloggn.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://fww.tc.fluke.com

O15 - Trusted Zone: *.amaena.com (HKLM)

O15 - Trusted Zone: *.avsystemcare.com (HKLM)

O15 - Trusted Zone: *.onerateld.com (HKLM)

O15 - Trusted Zone: *.safetydownload.com (HKLM)

O15 - Trusted Zone: *.trustedantivirus.com (HKLM)

O15 - Trusted Zone: *.virusremover2008.com (HKLM)

O15 - Trusted Zone: *.virusschlacht.com (HKLM)

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229548195564

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229548179548

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab

O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://merillat.view22.com/release_3_9_177/View22RTEv4.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://danaher.webex.com/client/T26L10NSP4...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = danahertm.com

O17 - HKLM\Software\..\Telephony: DomainName = danahertm.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = danahertm.com

O20 - AppInit_DLLs: pavmyq.dll cjaxuj.dll

O20 - Winlogon Notify: bYOfeDVL - bYOfeDVL.dll (file missing)

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - PCTEL - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

O23 - Service: VNC Server (WinVNC) - AT&T Research Labs Cambridge - C:\Program Files\ORL\VNC\WinVNC.exe

--

End of file - 8894 bytes

-----------------------

End Hijackthis log

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.