Jump to content

help with malware


ajtao
 Share

Recommended Posts

Hi,

I've recently been hit by what appears to be browser hijacks. I've run the 3 tools outlined and will post their logs below ...

Thanks in advance for any help!

-AJ

1. MBAM scan

Malwarebytes' Anti-Malware 1.31

Database version: 1531

Windows 5.1.2600 Service Pack 3

12/22/2008 8:11:47 AM

mbam-log-2008-12-22 (08-11-47).txt

Scan type: Quick Scan

Objects scanned: 56170

Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2. Panda Active Scan

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-22 09:36:13

PROTECTIONS: 1

MALWARE: 8

SUSPECTS: 5

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

CA Anti-Virus 10.0.0.163 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@atdmt[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@com[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@server.iad.liveperson[2].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@ads.pointroll[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@questionmarket[2].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew Tao\Cookies\andrew_tao@did-it[1].txt

00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vdvsbfe9.default\cookies.txt[.atwola.com/]

04434951 HackTools No 0 Yes No C:\Documents and Settings\Andrew Tao\Local Settings\Temporary Internet Files\Content.IE5\TX9IGQW5\apstpldr.dll[1].htm

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location t

;===============================================================================

================================================================================

=

===================

No C:\Program Files\Trend Micro\HijackThis\backups\backup-20081221-201428-601.dll t

No C:\Program Files\RealVNC\VNC4\vncconfig.exe t

No C:\Program Files\RealVNC\VNC4\vncviewer.exe t

No C:\WINDOWS\system32\qmimmdqr.dll t

No C:\WINDOWS\system32\rprdwz.dll t

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description t

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

3. HiJack This scan

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:07:16 AM, on 12/22/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\CA\CA Internet Security Suite\casc.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Andrew Tao\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\mstsc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB24D4D-A53B-4D5A-B593-4DDD9C560002}: Domain = nvidia.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB24D4D-A53B-4D5A-B593-4DDD9C560002}: NameServer = 172.16.229.26,172.16.229.26

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nvidia.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nvidia.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SlimServer (slimsvc) - Unknown owner - C:\Program Files\SlimServer\server\slim.exe

O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--

End of file - 7072 bytes

Link to post
Share on other sites

Hello AJ and welcome to MalwareBytes forums.

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Using Internet Explorer browser only, go to ESET Online Scanner website:

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

    Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here

    or http://download.bleepingcomputer.com/sUBs/dds.scr

    or http://www.forospyware.com/sUBs/dds

    Disable any script blocker if your antivirus/antimalware has it.

    Then double click dds.scr to run the tool.

    When done, DDS.txt will open.

    Click Yes at the next prompt for Optional Scan.

    • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

    [*]Save both reports to your desktop.

Please include the following logs in your next reply:

the Eset scan log,

DDS.txt

Attach.txt

Link to post
Share on other sites

Thanks very much for the update and help. Here are the 3 logfiles:

EsetLog:

----------

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=3717 (20081225)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.064 (20070717)

# EOSSerial=4ca73f47c017924fabd1381a759b3e35

# end=finished

# remove_checked=true

# unwanted_checked=false

# utc_time=2008-12-25 07:25:47

# local_time=2008-12-25 11:25:47 (-0800, Pacific Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 3

# scanned=345330

# found=4

# scan_time=3595

C:\Documents and Settings\Andrew Tao\Application Data\Auslogics\Rescue\One Button Checkup\081205090727390.rsc Win32/Toolbar.AskSBar application (deleted) 00000000000000000000000000000000

C:\Documents and Settings\Andrew Tao\Application Data\Auslogics\Rescue\One Button Checkup\081205090727390.rsc

Link to post
Share on other sites

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB24D4D-A53B-4D5A-B593-4DDD9C560002}: Domain = nvidia.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{CCB24D4D-A53B-4D5A-B593-4DDD9C560002}: NameServer = 172.16.229.26,172.16.229.26

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nvidia.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nvidia.com

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

Next, Close all applications and windows.

If you have an older copy of SDFix, delete it now.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back in a Reply here.

=

Please perform this online scan: F-Secure Online Scanner

You will need to temporarily disable your antivirus program (CA Antivirus).

The online scanner is on the bottom right of the page.

Follow the directions in the F-Secure page for proper Installation.

You may receive an alert on the address bar at this point to install the ActiveX control.

Click on that alert and then click "Install ActiveX component".

Read the license agreement and click "Accept".

Click "Custom Scan" and be sure the following are checked:

  • Scan whole System
  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Scan inside archives
  • Use advanced heuristics

When the scan completes, click the "I want to decide item by item" button.

For each item found, Select "Disinfect" and click "Next".

When done, click the "Show Report" button, then copy and paste the entire report into your next reply

Re-enable your antivirus program when done !

=

Reply with copies of the Report.txt and the F-Secure Report, and

tell me, How is your system now ?

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.