9 replies to this topic

[ambushbug]

Here is my Panda ActiveScan, any advice on how to remove the negative items would be much appreciated. I've already posted my MBAM scan and it was all clear. Will post my HiJack this log next.


;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2009-01-06 01:01:56
PROTECTIONS: 0
MALWARE: 12
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00029036 adware/superspider Adware No 1 Yes No c:\winspec.dat
00167210 dialer.baj Dialers No 0 Yes No c:\x.cab
00167450 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28a6d353-4fa94288.zip[VerifierBug.class]
00167451 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28a6d353-4fa94288.zip[Dummy.class]
00167452 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28a6d353-4fa94288.zip[BlackBox.class]
00167453 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28a6d353-4fa94288.zip[Beyond.class]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@azjmp[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.HYPERION\Cookies\owner@ads.pointroll[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@go[1].txt
00325547 Trj/Spamtaload.B Virus/Trojan No 0 Yes No C:\Documents and Settings\User\Application Data\Thunderbird\Profiles\gjh29b2u.default\Mail\Local Folders\Inbox[text.zip][text.dat.scr]
00335515 Adware/Beginto Adware No 0 Yes No C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\0PQRSTU7\7-7c15eb3352bcc3049d7e9e974ad283bf[1].exe
02941683 ASF/GetaCodec.A Virus No 0 Yes No C:\Documents and Settings\Owner.HYPERION\My Documents\LimeWire\Saved\When You Leave That Way You Can Never Go back - Confederate Railroad.mp3
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location H
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description H
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

[ambushbug]

Here is my HiJack this log. I've already posted my MBAM and and Panda ActiveScan logs. My computer has really slowed down as of late, any help or advice will be appreciated.

[ambushbug]

ambushbug, on Jan 6 2009, 01:10 AM, said:

Here is my HiJack this log. I've already posted my MBAM and and Panda ActiveScan logs. My computer has really slowed down as of late, any help or advice will be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:42 AM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - .DEFAULT User Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218002203546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218010794183
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7B2F93C-27DE-42C7-B1F5-99FB01FC87BE}: NameServer = 216.130.152.4,216.130.156.12
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3545 bytes

[AdvancedSetup]

Well I don't see any other logs that you're talking about and I don't have time to search the board for them.

Please follow these directions and I'll help you as quick as I can.

Please reboot the computer and then run the following again.

Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer again and AFTER the reboot run HJT Scan and Save log

Post back NEW MBAM and HJT logs please.

[AdvancedSetup]

I don't see the other logs. Please run the following and in this order.

Please reboot the computer and then run the following again.

Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer again and AFTER the reboot run HJT Scan and Save log

Post back NEW MBAM and HJT logs please.

[ambushbug]

MBAM Log

Malwarebytes' Anti-Malware 1.32
Database version: 1621
Windows 5.1.2600 Service Pack 3

1/5/2009 10:54:20 PM
mbam-log-2009-01-05 (22-54-20).txt

Scan type: Quick Scan
Objects scanned: 67643
Time elapsed: 22 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Panda Active Scan Log

;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2009-01-06 01:01:56
PROTECTIONS: 0
MALWARE: 12
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00029036 adware/superspider Adware No 1 Yes No c:\winspec.dat
00167210 dialer.baj Dialers No 0 Yes No c:\x.cab
00167450 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28a6d353-4fa94288.zip[VerifierBug.class]
00167451 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28a6d353-4fa94288.zip[Dummy.class]
00167452 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28a6d353-4fa94288.zip[BlackBox.class]
00167453 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-28a6d353-4fa94288.zip[Beyond.class]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@azjmp[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner.HYPERION\Cookies\owner@ads.pointroll[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@go[1].txt
00325547 Trj/Spamtaload.B Virus/Trojan No 0 Yes No C:\Documents and Settings\User\Application Data\Thunderbird\Profiles\gjh29b2u.default\Mail\Local Folders\Inbox[text.zip][text.dat.scr]
00335515 Adware/Beginto Adware No 0 Yes No C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\0PQRSTU7\7-7c15eb3352bcc3049d7e9e974ad283bf[1].exe
02941683 ASF/GetaCodec.A Virus No 0 Yes No C:\Documents and Settings\Owner.HYPERION\My Documents\LimeWire\Saved\When You Leave That Way You Can Never Go back - Confederate Railroad.mp3
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location H
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description H
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================

[ambushbug]

I'm sorry, I misunderstood the directions on how to post and posted them in three different threads. They are all listed in this thread http://www.malwarebytes.org/forums/index.p...amp;#entry45263
Once again I apologize for the trouble and thanks in advance for any help.

[AdvancedSetup]

Not sure what's going on but you're logs are not complete.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***

• Double-click on JavaRa.exe to start the program.
  
• From the drop-down menu, choose English and click on Select.
  
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  
• A logfile will pop up. Please save it to a convenient location.

Please RESTART the computer and then run HJT Scan and Save log.

Post back FULL HJT log.

[ambushbug]

Ok, followed your instructions. Here is the new HJT Scan Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:03 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218002203546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218010794183
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7B2F93C-27DE-42C7-B1F5-99FB01FC87BE}: NameServer = 216.130.152.4,216.130.156.12
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3515 bytes

[AdvancedSetup]

You have no sign of Anti-Virus running on this system which is just asking for trouble.

Unless you're tweaking the heck out of this box with ideas like from Black Vipers site to disable just about everything something is up with this box. The average Windows computer has many startup files and services yet you have almost none shown.

Please give more details as to what's going on please and run this.

Please download the following scanning tool. GMER
[indent]

• Open the zip file and copy the file gmer.exe to your Desktop.
  
• Double click on gmer.exe and run it.
  
• It may take a minute to load and become available.
  
• Do not make any changes. As soon as it's done and the COPY button is available click on the COPY button.
  
• DO NOT Click on the SCAN button.
  
• This will place the scan in your clipboard. Paste that into notepad or into your next reply post please.
  
• Click OK and quit the GMER program.

[/indent]