Jump to content

vizion

Honorary Members
  • Posts

    23
  • Joined

  • Last visited

Everything posted by vizion

  1. Thats good -- I did not have time to look at it closely to see what is going on.. just flagging up that there is a bug and if I can see so can others -- bad guys look for more when they find one!! Anyway I have done my bit <chuckles> david
  2. Suggest you report it to google analytics support. You could start in the forum http://www.googlecommunity.com/forum/other...ytics-bugs.html You should get some pointers there. I suggest you search relevant code and then open your site remotely on a machine equipped with debugging tools and paste the code and and the notifications into the forum. You should also check that the line numbers given in the notification coincide with the source (sometimes the notification gives the wrong line numbers!! It is worth watching these things -- hackers often start by looking at web site coding errors when they want to hack your site and my guess is that you malwarebytes could be an attractive target to some of those b******s - so I would recomend you give errors like this close attention. david
  3. It seems to be a widespread problem. On the homepage an example snippet may be: </script> <script type="text/javascript"> var pageTracker = _gat._getTracker("UA-3347303-1"); pageTracker._initData(); pageTracker._trackPageview(); </script> Most pages I open display this problem PS This bug is of course mainly apparent in Internet Explorer -- Chrome, Netscape do not exhibit similar difficulties -- MS$ & MS$ VS make it apparent. david
  4. My 64bit system is equipped with debugging tools that show all errors in scripts. I thought you might like to know there are multiple errors _gat is undefined. One example may be coming from this code segment: </script> <script type="text/javascript"> var pageTracker = _gat._getTracker("UA-3347303-1"); pageTracker._initData(); pageTracker._trackPageview(); </script> If you want more info let me know but I would think a quick search through the code for your main forum pages and the home page should put you on track. david
  5. Thanks very much for your observations - your point about start ups I felt to be very apt! Thank you. However I wanted to tell you that unless I missed something I found the other link very disappointing. I felt you should be aware of this before providing the link it to someone else in similar circulstances. That was because I only found that site using the "Keyhook error" as a label upon which to make strong pitch to purchase Registry mechanic. I found no information focussing the problem. Maybe I missed something, in which case I apologise, but maybe you did not realise the site that does not really seem to offer solutions to problems but only uses the existence of known problems as a "Hook" to sell a product that may or may not fix the problem!!!. I would caution other users about that site - whilst I am sure the product has genuine benefits and may be an excellent general registry tool (I actually have a licensed copy on one of my systems)-- however it does not really offer the ability to fix problems of this nature even though it uses the existence of any problem as an inducement to buy. Their website (however good their software may be) seems to me to be an example of poor marketing practices and I leave it with the feeling their administration is ethically challenged. A site to be only recomended with caution would be my conclusion. Thanks again David
  6. If someone who knows about these things could take a look at this one it would be appreciated. In another topic I referred to Sys2 and the reasons why I am posting these logs. This Topic is about Sys 3 which is a win XP 64 sys on the same local network in which extensive use is made of network shares. So the risk of cross infection is high. http://www.malwarebytes.org/forums/index.p...st=0#entry28996 This system does not show any overt sign of problems however the Event log is also showing problems with the Windows Search service (see the above thread on Sleuth). Here is the entry: Source Windows Search Service Category: Gatherer Event ID 3083 The protocol handler Search.Mapi2Handler.1 cannot be loaded. Error description: Class not registered Results from Microsoft support centre yields very lttle: Results for: Microsoft product: Windows Operating System; Version: 7.0.6001.16503; ID: 3083; Event Source: Windows Search Service; File name: tquery.dll.mui; Another event log error: Source Crypt 32 Category None Event ID 8 Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation. Results from Microsoft support centre yields nothing: A Kaspersky does not pick up any problems but I am not totally reassured by that <chuckles> Thanks in advance David hijackthis_Sleuth64.txt hijackthis_Sleuth64.txt
  7. OK I thought I would double check after Bruce found the way to clear one of my systems from a new and nasty rootkit. So, on Bruce's recomendation I post HiJackThis for each system starting with the two that did not appear clean. This system is called Sleuth. I would really appreciate it if someone could take a look at the logs. I know these damn trojans have a habit of infecting systems on the same network especially when, as in this case, there is extensive use of network shares. As we believe the infected machine is now clear one I would like to be reasonably sure about the others but Bruce's time is very precious and he needs to concentrate on other things. Attached is the HiJack this log file from Sleuth. This machine is sometimes extremely slow but I have no solid reason for believing it is infected. However it has a notification error after login: Keyhook.exe - Entry point not found The procedure entry point ? DDrawSupportGetDriverName@CSISEsc@@QAEHPADH@Z could not be located in the dynamic link library SiSApCom.dll There are also notices ofthe following type in the event log: Source Windows Search Service Event ID 1015 Time 5:47:26 AM Event ID 3013 for the Windows search service has been suppressed 100 times since 5:26:32 AM. This event is used to suppress Windows search events that have incurred frequently withinm a short period........ Event ID 3013 (NB the system is on drive E:\ not C:\) The entry <E:\CONFIG.MSI\77DAE.RBF> in the hash map cannot be updated. Context: Application, SystemIndexCatalog Details A device attached to the system is not functioning (0x8007001f) I am sorry to say I know more about administering Unix systems than MS$ so am not certain what to do about this... if I were to rely on instinct alone I would say this is not a malware related problem -- but instincts need to be disabused from time to time!!! <chuckles> Thanks David hijackthis_Sleuth.txt hijackthis_Sleuth.txt
  8. And last but not least the one from the machine that we worked on. You have three of a kind now can you turn it into a full house? <chuckles> David hijackthis_Pfast_2008_09_23.txt hijackthis_Pfast_2008_09_23.txt
  9. Here is the one from Sleuth 64. BTW I found gmer does not seem to like XP Pro win64. David hijackthis_Sleuth64_2008_09_23.txt hijackthis_Sleuth64_2008_09_23.txt
  10. OK I thought I would double check so I am running HiJackThis on each of the Systems starting with the ones that appeared clean. IF/when you get a chance I would really appreciate it if you could take a look at the logs. I know these damn trojans have a habit of infecting systems on the same network especially when, as in this case, there is extensive use of network shares. As we have cleared one I would like to be reasonably sure about the others. Attached is the HiJack this log file from Sleuth. This machine is soemtimes extremely slow and has the following notification error after login: Keyhook.exe - Entry point not found The procedure entry point ? DDrawSupportGetDriverName@CSISEsc@@QAEHPADH@Z could not be located in the dynamic link library SiSApCom.dll When you get a chance. Thanks David hijackthisSleuth_2008_09_23.txt hijackthisSleuth_2008_09_23.txt
  11. I updated and applied the update to each machine (1 XP Pro 64 [sleuth64]+ 1 x XP Pro 32[sleuth] + 1 Xp Pro 32 (PFast). Sleuth 64 & Sleuth passed completely clean HOWEVER your latest updated unearthed two more problems on PFast. I have attached the malwarebytes log file. Do you need any more info0? David mbam_log_2008_09_23__14_17_41_.txt mbam_log_2008_09_23__14_17_41_.txt
  12. That has been done see: http://www.malwarebytes.org/forums/index.php?showtopic=6455
  13. Here it is.. You are right on the nail. The weird thing is that nhvjgpmc looked a bit odd to me but I had no way of checking it out.. Where do we go from here?? Thanks for sticking with this and pushing me in the right direction David gmer_log.txt gmer_log.txt
  14. Sudden thought I ran hijack list when I logged on to this computer -- but the person who normally uses PFast naturally has a different profile -- I only use the system when there are problems!! SO I have run another hijackthis and have attached the log which you might find even more interesting David hijackthis_User2_2008_09_22.txt hijackthis_User2_2008_09_22.txt
  15. Applogies on both counts.. I did not update and I copied and pasted!!! Hope this gives you all the necessary BTW I see this has the line about the "now" missing avifil3.dll David hijackthis2008_09_22.txt hijackthis2008_09_22.txt
  16. ZIP File attachedn includes search of all locations found for the file
  17. Just for the record Hijackthis log shows: Logfile of HijackThis v1.99.1 Scan saved at 18:20:13, on 22/09/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\mqsvc.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\cidaemon.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\David Southwell\Application Data\Mozilla\Profiles\default\vk9m06fi.slt\prefs.js) O2 - BHO: (no name) - AutorunsDisabled - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" Complete scan by eset online showed clean system malwarebytes shows clean apart from the registry entries David
  18. Done all that and it does not help because nothing is revealed by hijackthis. The problem seems to be related to registry permissions. After using so many Malware tools I have finally found something that seems to tell me what is going on. Using subunacl.exe downloaded from microsoft technet I ran: subinacl /subkeyreg \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Explorer /display >C:\mydir\myfilename Opening the file I got a string of information about all the permission for all the keys/subkeys in Explorer BUT GUESS WHAT the lines for Browser Settings were: : 5 Access denied : 6 Unable to enumerate subkeys My file size is 3,647kb and no other key or subkey produces that response. So this seems to explain why malwarebytes was unable to delete the keys and why it was not able to do so on reboot. I am going to try a few more things but I thought you might be interested to know. These registry entrioes were a hang over from malwarebytes deleting avifil3.dll which was successfully removed from the system leaving these weird entries in the register behind. David
  19. Malwarebytes' Anti-Malware 1.28 Database version: 1161 Windows 5.1.2600 Service Pack 3 22/09/2008 09:29:00 mbam-log-2008-09-22 (09-28-40).txt Scan type: Quick Scan Objects scanned: 53025 Time elapsed: 10 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 : : Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken. : : After scan the Remove is clicked and deletion on reboot indication is given - however the entries are NOT deleted on reboot. Attempts to delete the registry entries manually also fail (including attempts whilst in safe mode There seems to be something unusual with permission settings. Attempts to change permission settings also fail. I have searched for guidelines to deal with registry entries that appear to be locked out to prevent changes but so far found nothing useful. Thanks in advance David
  20. Malwarebytes log all clean except for following entries under heading: Registry Values Infected Entries are: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\EXPLORER\Browser Settings\bf (Trojan.Agent) -> Delete on Reboot HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\EXPLORER\Browser Settings\bk (Trojan.Agent) -> Delete on Reboot HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\EXPLORER\Browser Settings\iu (Trojan.Agent) -> Delete on Reboot HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\EXPLORER\Browser Settings\mu (Trojan.Agent) -> Delete on Reboot Other Symptoms for this system Windows 5.1.2600 Service Pack 3 No other infections reported on malware bytes scan On boot up repeated showing of "svchost.exe - Application error The memory could not be read and "Generic Host Process for win 32" Action taken Repeated Removal attempts for svhost exe and Generic host processes problems by reference to support.microsoft.com/kb/821690 & 927385 all resulted in failure to deal with those issues. As to the reported registry entry all forms of removal fail. Delete on reboot does not appear to succeed. I have tried deleting using regedit but deletion fails with "unable to delete all specified values" when attempting to delete one or all of these values. I have even tried to delete all Browser Settings values without success. Can anyone please point me in right direction Thanks David
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.