Hijack Log

tripsmmm
edited November 2008 in Logs analysis

OS- Vista Ult 64bit


A trojan got in by my own foolishness and had some adware probs. The computer was unprotected being resonably new and selfbuilt. Am now running [removed] free have also got reg mechanic which seems to ignore most of the probs it finds. Ive had no issues with the other computers that are running bit defender. but to be safe i have pulled the network cable on the infected machine


Some good news would be nice.


Thanks


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 2:16:05 PM, on 24/11/2008


Platform: Windows Vista SP1 (WinNT 6.00.1905)


MSIE: Internet Explorer v7.00 (7.00.6001.18000)


Boot mode: Normal


Running processes:


C:\Program Files\ASUS\Ai Suite\EnergySaving\PwSave.exe


C:\Program Files\ASUS\Ai Suite\CpuLevelUpHookLaunch.exe


C:\Program Files (x86)\ASUS\AASP\1.00.59\aaCenter.exe


C:\Program Files\ASUS\Ai Suite\CpuLevelUpHook32.exe


C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe


C:\Program Files (x86)\Registry Mechanic\RMTray.exe


C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe


C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe


C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe


C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe


C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe


C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe


C:\Program Files (x86)\AVG\AVG8\avgtray.exe


C:\Program Files (x86)\Windows Media Player\wmplayer.exe


C:\Users\tripsmmm\Desktop\HiJackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


O1 - Hosts: ::1 localhost


O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll


O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL


O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~2\AVG\AVG8\AVGTOO~1.DLL


O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe


O4 - HKLM\..\Run: [soundTray] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"


O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"


O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"


O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe


O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe


O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun


O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe


O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files (x86)\Registry Mechanic\rmtray.exe /H


O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')


O4 - Startup: Registration Assassin's Creed.LNK = C:\Program Files (x86)\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe


O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe


O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll


O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll


O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll


O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll


O13 - Gopher Prefix:


O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll


O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll


O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)


O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)


O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe


O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe


O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)


O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)


O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\bin32\nSvcAppFlt.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)


O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)


O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)


O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\bin32\nSvcIp.exe


O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)


O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)


O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)


O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)


O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)


O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)


O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)


O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)


O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)


O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)


O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)


O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)


O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)


--


End of file - 7500 bytes

Comments

  • Download Malwarebytes' Anti-malware from here:


    http://www.malwarebytes.org/mbam.php


    Once the download is complete, run the install program, and accept all of the default options. Make sure that the options to Update and Launch the software is checked when you click Finish.


    Now, let's make sure that it has all of the latest anti-spyware definitions: click on the Update tab and click the Check for Updates button.


    malwarebytes1.png


    After the updates have been loaded, click on the Scanner tab and choose the Perform Complete Scan option, then click the Scan button.


    a5163075fd548685aa01c10a88346d17.png


    When the scan is complete, it will show you all of the potentially harmful files on your computer - click the button to remove them automatically.


    Paste the scan log here. :)

  • nothings wrong with your hijackthis log :)

  • Cheers for the quick reply crysty2k5 and for the input VirusPING.


    I neglected to mention that i had already come across malwarebytes and used it just a quick scan though. The log is below for the sake of following through. An additional full scan came in clean. I err on the side of caution because of traker cookies like @serving-sys remaing. Ignorance does breed fear. I have since learnt not all are bad. Im pretty confident my machine is clean.


    Thanks kindly for the assistance.


    Malwarebytes' Anti-Malware 1.30


    Database version: 1419


    Windows 6.0.6001 Service Pack 1


    24/11/2008 10:58:01 AM


    mbam-log-2008-11-24 (10-58-01).txt


    Scan type: Quick Scan


    Objects scanned: 37256


    Time elapsed: 1 minute(s), 35 second(s)


    Memory Processes Infected: 0


    Memory Modules Infected: 0


    Registry Keys Infected: 8


    Registry Values Infected: 1


    Registry Data Items Infected: 1


    Folders Infected: 0


    Files Infected: 3


    Memory Processes Infected:


    (No malicious items detected)


    Memory Modules Infected:


    (No malicious items detected)


    Registry Keys Infected:


    HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.


    HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.


    HKEY_CLASSES_ROOT\Typelib\{9233c3c0-1472-4091-a505-5580a23bb4ac} (Trojan.FakeAlert) -> Quarantined and deleted successfully.


    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{23198981-7246-2544-ba21-4ed99352de91} (Adware.BHO) -> Quarantined and deleted successfully.


    HKEY_CLASSES_ROOT\CLSID\{23198981-7246-2544-ba21-4ed99352de91} (Adware.BHO) -> Quarantined and deleted successfully.


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d6d33ac-da0d-0830-424c-f0dda486e712} (Adware.BHO) -> Quarantined and deleted successfully.


    HKEY_CLASSES_ROOT\CLSID\{2d6d33ac-da0d-0830-424c-f0dda486e712} (Adware.BHO) -> Quarantined and deleted successfully.


    Registry Values Infected:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlvshhoaazh (Trojan.Agent) -> Quarantined and deleted successfully.


    Registry Data Items Infected:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.


    Folders Infected:


    (No malicious items detected)


    Files Infected:


    C:\Windows\System32\xoyambqpueubkv.dll (Trojan.Agent) -> Delete on reboot.


    C:\Windows\SysWOW64\xoyambqpueubkv.dll (Adware.BHO) -> Delete on reboot.


    C:\Windows\SysWOW64\rwmmpcoutqdq.dll (Adware.BHO) -> Delete on reboot.

  • if the files are still on quarantine and NOT deleted then subimit to Bitdefender so they can detect them.

  • Will keep in mind for future issues but have already deleted this time. Live and learn.

  • Ok ! :)