Jump to content

Rogue.antimalwarelab


Recommended Posts

My client reported problems with their network on one of their computers (they have a small office with a peer to peer network) and being unable to access google, bing and yahoo search engines. I updates Malwarebytes and ran a scan and it found 2 infections of Rogue.AntiMalwareLab which it quarantined and deleted successfully. I scanned a copy of log into a pdf file and uploaded for your review. Still being unable to access the above seach engines I flushed their dns cache and ran a winsock fix program to see if possibly damaged tcp/ip stacks or lsp were the problem. Still no success. I then installed and ran HiJack this. HiJack this message was that it could not gain access to the hosts file but it generated a log and I have posted that here for your review below. Thank you for your help.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:07:03 AM, on 8/30/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe

C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 urs.microsoft.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com

O1 - Hosts: 217.23.7.114 www.google.com

O1 - Hosts: 217.23.7.114 google.com

O1 - Hosts: 217.23.7.114 google.com.au

O1 - Hosts: 217.23.7.114 www.google.com.au

O1 - Hosts: 217.23.7.114 google.be

O1 - Hosts: 217.23.7.114 www.google.be

O1 - Hosts: 217.23.7.114 google.com.br

O1 - Hosts: 217.23.7.114 www.google.com.br

O1 - Hosts: 217.23.7.114 google.ca

O1 - Hosts: 217.23.7.114 www.google.ca

O1 - Hosts: 217.23.7.114 google.ch

O1 - Hosts: 217.23.7.114 www.google.ch

O1 - Hosts: 217.23.7.114 google.de

O1 - Hosts: 217.23.7.114 www.google.de

O1 - Hosts: 217.23.7.114 google.dk

O1 - Hosts: 217.23.7.114 www.google.dk

O1 - Hosts: 217.23.7.114 google.fr

O1 - Hosts: 217.23.7.114 www.google.fr

O1 - Hosts: 217.23.7.114 google.ie

O1 - Hosts: 217.23.7.114 www.google.ie

O1 - Hosts: 217.23.7.114 google.it

O1 - Hosts: 217.23.7.114 www.google.it

O1 - Hosts: 217.23.7.114 google.co.jp

O1 - Hosts: 217.23.7.114 www.google.co.jp

O1 - Hosts: 217.23.7.114 google.nl

O1 - Hosts: 217.23.7.114 www.google.nl

O1 - Hosts: 217.23.7.114 google.no

O1 - Hosts: 217.23.7.114 www.google.no

O1 - Hosts: 217.23.7.114 google.co.nz

O1 - Hosts: 217.23.7.114 www.google.co.nz

O1 - Hosts: 217.23.7.114 google.pl

O1 - Hosts: 217.23.7.114 www.google.pl

O1 - Hosts: 217.23.7.114 google.se

O1 - Hosts: 217.23.7.114 www.google.se

O1 - Hosts: 217.23.7.114 google.co.uk

O1 - Hosts: 217.23.7.114 www.google.co.uk

O1 - Hosts: 217.23.7.114 google.co.za

O1 - Hosts: 217.23.7.114 www.google.co.za

O1 - Hosts: 217.23.7.114 www.google-analytics.com

O1 - Hosts: 217.23.7.114 www.bing.com

O1 - Hosts: 217.23.7.114 search.yahoo.com

O1 - Hosts: 217.23.7.114 www.search.yahoo.com

O1 - Hosts: 217.23.7.114 uk.search.yahoo.com

O1 - Hosts: 217.23.7.114 ca.search.yahoo.com

O1 - Hosts: 217.23.7.114 de.search.yahoo.com

O1 - Hosts: 217.23.7.114 fr.search.yahoo.com

O1 - Hosts: 217.23.7.114 au.search.yahoo.com

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [blackArmorBackupMonitor.exe] C:\Program Files\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\BlackArmorBackup\TimounterMonitor.exe

O4 - HKLM\..\Run: [seagate Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: pfolder.lnk = ?

O4 - Startup: Public on 'Seagate BlackArmor NAS (192.168.254.102)' (P).lnk = ?

O4 - Startup: Seagate Product Registration.lnk = C:\Documents and Settings\Vivian Trottini\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: AutorunsDisabled - Invalid registry found

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--

End of file - 7311 bytes

Link to post
Share on other sites

  • 3 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.