Author Topic: Malware scan logfiles (Read 3471 times)

peterpasta · « **on:** May 28, 2008, 12:31:50 PM »

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/29/2008 at 02:00 AM

Application Version : 4.1.1046

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 00:20:28

Memory items scanned : 395
Memory threats detected : 0
Registry items scanned : 3370
Registry threats detected : 28
File items scanned : 20510
File threats detected : 20

Rogue.WinIFixer
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKCU\RunOnce
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKCU
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKLM\RunOnce
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\HKLM
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\StartMenuAllUsers
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun\StartMenuCurrentUser
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine\Autorun
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine\BrowserObjects
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine\Packages
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer\Quarantine
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com\WinIFixer
   C:\Documents and Settings\DRAGO\Application Data\WinIFixer.com
   C:\Program Files\WinIFixer\MFC71.dll
   C:\Program Files\WinIFixer\MFC71ENU.DLL
   C:\Program Files\WinIFixer\msvcp71.dll
   C:\Program Files\WinIFixer\msvcr71.dll
   C:\Program Files\WinIFixer\WinIFixer.exe
   C:\Program Files\WinIFixer\WinIFixerSkin.dll
   C:\Program Files\WinIFixer
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinIFixer [ C:\Program Files\WinIFixer\WinIFixer.exe ]
   HKLM\Software\winifixer.com
   HKLM\Software\winifixer.com#MGuid
   HKLM\Software\winifixer.com\WinIFixer
   HKLM\Software\winifixer.com\WinIFixer#RegistrationUrl
   HKLM\Software\winifixer.com\WinIFixer#RegistrationDiscUrl
   HKLM\Software\winifixer.com\WinIFixer#ADVid
   HKLM\Software\winifixer.com\WinIFixer#InstallDir
   HKLM\Software\winifixer.com\WinIFixer#domain
   HKLM\Software\winifixer.com\WinIFixer#SoftID
   HKLM\Software\winifixer.com\WinIFixer#DatabaseVersion
   HKLM\Software\winifixer.com\WinIFixer#ProgramVersion
   HKLM\Software\winifixer.com\WinIFixer#EngineVersion
   HKLM\Software\winifixer.com\WinIFixer#GuiVersion
   HKLM\Software\winifixer.com\WinIFixer#ProxyName
   HKLM\Software\winifixer.com\WinIFixer#ProxyPort
   HKLM\Software\winifixer.com\WinIFixer#ScanPriority
   HKLM\Software\winifixer.com\WinIFixer#DaysInterval
   HKLM\Software\winifixer.com\WinIFixer#ScanDepth
   HKLM\Software\winifixer.com\WinIFixer#ScanSystemOnStartup
   HKLM\Software\winifixer.com\WinIFixer#AutomaticallyUpdates
   HKLM\Software\winifixer.com\WinIFixer#MinimizeOnStart
   HKLM\Software\winifixer.com\WinIFixer#BackgroundScan
   HKLM\Software\winifixer.com\WinIFixer#BackgroundScanTimeout
   HKLM\Software\winifixer.com\WinIFixer#InstallationID
   HKLM\Software\winifixer.com\WinIFixer#LastTimeStamp
   HKLM\Software\winifixer.com\WinIFixer#LastUpdateDate
   HKLM\Software\winifixer.com\WinIFixer\Settings

Trojan.Unknown Origin
   C:\WINDOWS\SYSTEM32\CTFMONB.BMP

peterpasta · « **Reply #1 on:** May 28, 2008, 12:32:35 PM »

Malwarebytes' Anti-Malware 1.12
Database version: 794

Scan type: Quick Scan
Objects scanned: 38348
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\RegistrySmart\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\RegistrySmart\Microsoft.VC80.MFC\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\RegistrySmart\Microsoft.VC80.CRT\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.CRT (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.MFC (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\DRAGO\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\DRAGO\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\DRAGO\Application Data\RegistrySmart\Log\2007 Oct 03 - 12_09_38 PM_421.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\DRAGO\Application Data\RegistrySmart\Log\2007 Oct 03 - 12_09_39 PM_906.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\DRAGO\Application Data\RegistrySmart\Log\2007 Oct 03 - 12_48_37 PM_812.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\DRAGO\Application Data\RegistrySmart\Log\2007 Oct 03 - 12_48_38 PM_984.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

peterpasta · « **Reply #2 on:** May 28, 2008, 12:33:14 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:10 AM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191431293484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191431278781
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fn+F5 Service (FNF5SVC) - Lenovo. - C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5670 bytes

evilfantasy · « **Reply #3 on:** May 28, 2008, 12:45:32 PM »

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download ATF Cleaner by Atribune.
Note: Vista users must use Run As Administrator

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

----------

How is everything now?

peterpasta · « **Reply #4 on:** May 28, 2008, 02:09:36 PM »

Everything is running better than ever! Thank you!

evilfantasy · « **Reply #5 on:** May 28, 2008, 02:24:35 PM »

Final steps...

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

To prevent unknown applications from being installed on your computer install WinPatrol 2008

Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

Using SpywareBlaster to protect your computer from Spyware and Malware

Check out Keeping Yourself Safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Computer Hope Forum

News:

Author Topic: Malware scan logfiles (Read 3471 times)

peterpasta

Malware scan logfiles

peterpasta

Re: Malware scan logfiles

peterpasta

Re: Malware scan logfiles

evilfantasy

Re: Malware scan logfiles

peterpasta

Re: Malware scan logfiles

evilfantasy

Re: Malware scan logfiles