Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BBUBBA - HJT Logs - MBAM and Panda


  • This topic is locked This topic is locked
2 replies to this topic

#1 bbubba

bbubba

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:36 PM

Posted 01 December 2008 - 11:49 AM

I got infected with the fake security pop up and it looks like some rootkit infection.

In my scans I also found TDSS, and trojan.zlob. I disabled the two TDSS non plug and play drivers using devmgmt.msc. Before this I was not able to go to google but after this work I can now google search again.

I cleaned what I could using the remove feature on the scan tools.

Any help to completely free the machine of harmful infections will be greatly appreciated.
Bbubba

HJT LOG-HJT LOG-HJT LOG-HJT LOG-HJT LOG-HJT LOG-HJT LOG-HJT LOG-HJT LOG-HJT LOG-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:49 AM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\Scan Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4892 bytes

MWB Scan-MWB Scan-MWB Scan-MWB Scan-MWB Scan-MWB Scan

Malwarebytes' Anti-Malware 1.30
Database version: 1436
Windows 5.1.2600 Service Pack 3

11/29/2008 8:07:38 PM
mbam-log-2008-09-26 (23-19-58).txt

Scan type: Quick Scan
Objects scanned: 49592
Time elapsed: 8 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Administrator\Application Data\Google\mscscc.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpseti (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\nah_sgmo.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Application Data\Google\runhh6110411.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Administrator\Application Data\Google\mscscc.dll (Trojan.FakeAlert) -> No action taken.


PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP

Panda Scan
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-11-30 06:43:41
PROTECTIONS: 0
MALWARE: 13
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[~0001564.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[~0001560.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[~0002029.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[~0002025.~]
00098232 W32/Netsky.P.worm Virus No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[message.scr]
00098232 W32/Netsky.P.worm Virus No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[websites03.zip][details.txt .pif]
00098232 W32/Netsky.P.worm Virus No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[message.scr]
00098232 W32/Netsky.P.worm Virus No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[information.exe]
00098232 W32/Netsky.P.worm Virus No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[document_all02c.zip][data.rtf .scr]
00098232 W32/Netsky.P.worm Virus No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[document09_info.txt.scr]
00098232 W32/Netsky.P.worm Virus No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[message.scr]
00098232 W32/Netsky.P.worm Virus No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[message.scr]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
00171765 Trj/Redbind.A Virus/Trojan No 0 Yes No C:\Documents and Settings\Administrator\Desktop\Scan Tools\hjreader\HijackReader.exe
00171765 Trj/Redbind.A Virus/Trojan No 0 Yes No C:\Program Files\HijackReader.exe
00186300 Trj/Mitglieder.DQ Virus/Trojan No 1 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[new.zip][foto_bs363.exe]
00199382 W32/Bagle.EC.worm HackTools No 0 Yes No C:\Documents and Settings\All Users\Documents\A_SITES\aado\_notes\aado-mail-from old server\pfritz[Increase_in_the_tax.zip][Taxes.exe]
02947949 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-21fce01e-3503b51b.class
03548669 Adware/RogueAntimalware2008 Adware No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SPAZOP2J\MSXSetup[1].exe[MSX.cpl]
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================




Thanks for any help.

BBuBBa

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:36 PM

Posted 14 December 2008 - 06:45 PM

Hello bbubba,

Posted Image

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:36 PM

Posted 23 December 2008 - 02:14 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users