Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Hacktool.rootkit and Trojan horse


  • Please log in to reply
7 replies to this topic

#1 leescortxr3i

leescortxr3i

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 03 April 2009 - 11:34 AM

Hi. I've been infected with the Hacktool.rootkit and a Trojan Horse. Every 5 minutes or so, Norton Antivirus comes up with a box saying thats it's detected these two problems. It then says that its deleted them but the message appears about 5 minutes later. I can only assume its replicating itself somehow?
Please could you tell me how to remove it. I'm at a loss.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Lee Bell at 17:23:23.23 on 03/04/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3071.2194 [GMT 1:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svcadmin.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Documents and Settings\Lee Bell\Desktop\dds.scr
C:\Documents and Settings\Lee Bell\Lee Bell.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec

shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton

antivirus\NavShExt.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec

shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton

antivirus\NavShExt.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>] c:\documents and settings\lee bell\.exe /i
uRun: [Lee Bell] c:\documents and settings\lee bell\Lee Bell.exe /i
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec

shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec

shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat

8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program

files\java\jre1.6.0_03\bin\ssv.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol

toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180133186630
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game12.zylom.com/activex/zylomgamesplayer.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} -

hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-5-19 11264]
R1 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 Anyplace Control Security;Anyplace Control Security;c:\windows\svcadmin.exe [2008-3-7 45568]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-16 191848]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-16 202088]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-16 169320]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE

[2005-10-6 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-5-19 1251720]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-3-18 92008]
R3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2007-6-15 303616]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

[2009-2-26 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090403.004\NAVENG.Sys [2009-4-3 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090403.004\NavEx15.Sys [2009-4-3 876144]
S2 gupdate1c98ec13823bce;Google Update Service (gupdate1c98ec13823bce);c:\program files\google\update\GoogleUpdate.exe

[2009-2-14 133104]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [2007-5-19

35712]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]
UnknownUnknown acpi32;acpi32; [x]
UnknownUnknown ati64si;ati64si; [x]
UnknownUnknown i386si;i386si; [x]
UnknownUnknown netsik;netsik; [x]
UnknownUnknown nicsk32;nicsk32; [x]
UnknownUnknown port135sik;port135sik; [x]
UnknownUnknown systemntmi;systemntmi; [x]

=============== Created Last 30 ================

2009-04-03 16:44 <DIR> --d----- c:\program files\Trend Micro
2009-04-03 16:43 812,344 a------- c:\program files\HJTInstall.exe
2009-04-03 16:25 10,973,350 a------- c:\windows\system32\PRZ
2009-04-02 16:58 20,451 ----h--- c:\documents and settings\lee bell\Lee Bell.exe
2009-03-23 23:09 <DIR> --dsh--- c:\documents and settings\lee bell\IECompatCache
2009-03-20 18:12 <DIR> --d----- c:\docume~1\leebel~1\applic~1\TomTom
2009-03-20 18:12 <DIR> --d----- c:\program files\TomTom International B.V
2009-03-20 18:12 <DIR> --d----- c:\program files\TomTom HOME 2
2009-03-17 00:50 <DIR> --dsh--- c:\documents and settings\lee bell\PrivacIE
2009-03-17 00:50 <DIR> --dsh--- c:\documents and settings\lee bell\IETldCache
2009-03-17 00:47 <DIR> --d----- c:\windows\ie8updates
2009-03-17 00:44 <DIR> -cd-h--- c:\windows\ie8
2009-03-17 00:43 79,360 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-03-06 17:12 4,710 a------- c:\windows\system32\fc.ico
2009-03-06 17:12 2,528 a------- c:\windows\FCIC.INI
2009-03-06 17:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FirstClass

==================== Find3M ====================

2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-15 03:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 03:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 03:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 03:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 03:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 03:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 03:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 03:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 03:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 02:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-07 12:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-06 18:09 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2007-03-09 09:12 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2008-08-09 18:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008080920080810\index.dat

============= FINISH: 17:23:49.67 ===============


The computer is running fine, its just norton that keeps coming up with these messages.

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:35 AM

Posted 12 April 2009 - 07:57 AM

hi,

sorry for delay, no shortage of posters. If you still need help post back.

How Can I Reduce My Risk to Malware?


#3 leescortxr3i

leescortxr3i
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 13 April 2009 - 04:01 AM

Hi. Yes I'd still like someone to check the log I posted to see if there's any sign of that Hacktool.rootkit and Trojan Horse. Norton has stopped coming up with the messages that it's detected the viruses but I'm still not sure if they've gone.

Any help would be appreciated.

Thanks,

Lee

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:35 AM

Posted 13 April 2009 - 06:47 AM

hi,

No i dont recognize any malware in the log. I suggest a second anti-malware app that you can keep. there is a free and paid version. See below.
Do you know what this is:
C:\Documents and Settings\Lee Bell\Lee Bell.exe If you know what the .exe is then no problem.

Malwarebytes;

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

How Can I Reduce My Risk to Malware?


#5 leescortxr3i

leescortxr3i
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 23 April 2009 - 05:07 PM

Hi thanks for your reply. I installed the Malwarebtes programme and got the following log:

Malwarebytes' Anti-Malware 1.36
Database version: 2016
Windows 5.1.2600 Service Pack 3

23/04/2009 22:55:56
mbam-log-2009-04-23 (22-55-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 222736
Time elapsed: 1 hour(s), 30 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lee Bell\Favorites\Free Porn Sex Porno Classic, Page 1.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN1C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN20.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN28.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN29.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN2C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN38.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN45.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN46.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN4B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN50.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN5B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN6A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN6E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN79.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN88.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BN93.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BNA5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BNB2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BNCC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lee Bell\Local Settings\Temp\BND8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

However, I forgot to update the programme before running so I might run it again.

I can't see the 'LeeBell.exe' in the area that it's supposed to be in?! There's no sign of it on a search.

I've also noticed a strange file called 'oashdihasidhasuidhiasdhiashdiuasdhasd'. Does anyone know what that is?!

Thanks again for your time,
Lee

#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:35 AM

Posted 23 April 2009 - 07:34 PM

hi,

thanks for the info. Yes good idea to update it and run it once more Also post the log.

I can't see the 'LeeBell.exe' in the area that it's supposed to be in


You can try this first then look for the file:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

Where was the strange file? Is it a .exe? Probably safe to delete it.

How Can I Reduce My Risk to Malware?


#7 leescortxr3i

leescortxr3i
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 24 April 2009 - 02:56 PM

Thanks for the reply ShelfLife.

I updated Malwarebytes and ran another scan. It reported there were no malicious items present.

The LeeBell.exe was found in C:\Documents and Settings\Lee Bell but I can't see it, even after I altered the file view settings as you described.

The file "oashdihasidhasuidhiasdhiashdiuasdhasd" is in C:\Documents and Settings\Lee Bell . I looked at the file type in properties and it jsut says 'File'. It has that generic icon with the white page containing a box with icons in it. It's only 1kb but I just don't know what it is? Surely it can't be anything useful with a filename like that?!

Thanks again for your time,

Lee

#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:35 AM

Posted 25 April 2009 - 12:38 PM

hi,

your welcome. MBAM is coming up clean, thats good. Dont about that .exe we will trust MBAM, the other with the long weird name you can delete if you want to.
Keep MBAM and its good practice to keep it updated even if you dont scan that much with it and always check it for updates before scanning.
The paid version offers auto updates and a real time protection component. If all is good then here are some tips to help reduce your threat to malware:


Reducing Your Risk To Malware:
The Short Version:

1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is now also true for web based application like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users