Definately infectaed, but what ?

Home » Windows & System Security » HiJack This Logs » Definately infectaed, but what ?

12 posts, Page 2 of 2

««1 2

Rate Topic

Display Mode

Topic Options

Author

Message

Err

Posted 5/16/2008 5:15 AM

New Member

Group: Forum Members
Last Login: 7/19/2008 1:38 PM
Posts: 32, Visits: 92

Here are the results of the requested scans

//-----------------------------------------------------------------
//
//Product: BitDefender 8 Free Edition
//Version: 8.0
//
//Created on:16/05/200800:23:02
//
//-----------------------------------------------------------------

Statistics

Scan path: C:\
D:\
E:\
F:\
G:\
H:\
Folders: 4759
Files: 249586
Archives: 2083
Packed files: 7645
Identified viruses: 9
Infected files: 11
Warnings: 0
Suspect files: 0
Disinfected files: 0
Deleted files: 0
Copied files: 0
Moved files: 10
Renamed files: 0
I/O errors: 32
Scan time: 01:15:23
Scan speed (files/sec): 55

Virus definitions: 1094044
Scan plugins: 14
Archive plugins: 39
Unpack plugins: 7
Mail plugins: 6
System plugins: 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\QooBox\Quarantine\C\0xf9.exe.virInfected Generic.Malware.dld!!.90566892
C:\QooBox\Quarantine\C\0xf9.exe.virDisinfection failed
C:\QooBox\Quarantine\C\0xf9.exe.virMoved
C:\SDFix\backups\backups.zip=>backups/msdirect.sysInfected Backdoor.ForBot.M
C:\SDFix\backups\backups.zip=>backups/msdirect.sysDisinfection failed
C:\SDFix\backups\backups.zipMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\cyber[1].wmfInfected Exploit.Win32.WMF-PFV
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\cyber[1].wmfDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\cyber[1].wmfMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\dnlsvc[1].exeInfected Trojan.Hacktool.Rootkit.BR
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\dnlsvc[1].exeDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\dnlsvc[1].exeMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\test[1].htmInfected Exploit.ADODB.Stream.BU
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\test[1].htmDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\016RGT2B\test[1].htmMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Z5U5S82\loader[1].exeInfected Generic.Malware.dld!!.90566892
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Z5U5S82\loader[1].exeDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0Z5U5S82\loader[1].exeMoved
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GL2F0D6B\2[1].aniInfected Exploit.Win32.MS05-002.Gen
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GL2F0D6B\2[1].aniDisinfection failed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GL2F0D6B\2[1].aniMoved
C:\z_Drivers\svchost.exeInfected Trojan.Generic.163127
C:\z_Drivers\svchost.exeDisinfection failed
C:\z_Drivers\svchost.exeMoved
F:\EMULS\MAME\FrontENDS\MALA\MaLaKeyHook.dllInfected Backdoor.Bancodor.I
F:\EMULS\MAME\FrontENDS\MALA\MaLaKeyHook.dllDisinfection failed
F:\EMULS\MAME\FrontENDS\MALA\MaLaKeyHook.dllMoved
F:\EMULS\MAME\FrontENDS\MaLa.7z=>MaLaKeyHook.dllInfected Backdoor.Bancodor.I
F:\EMULS\MAME\FrontENDS\MaLa.7z=>MaLaKeyHook.dllDisinfection failed
F:\EMULS\MAME\FrontENDS\MaLa.7z=>MaLaKeyHook.dllMove failed
F:\EMULS\N64\1964_099.exeInfected Trojan.Generic.79287
F:\EMULS\N64\1964_099.exeDisinfection failed
F:\EMULS\N64\1964_099.exeMoved

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/16/2008 at 02:27 AM

Application Version : 4.0.1154

Core Rules Database Version : 3462
Trace Rules Database Version: 1453

Scan type : Complete Scan
Total Scan Time : 00:25:28

Memory items scanned : 279
Memory threats detected : 0
Registry items scanned : 4166
Registry threats detected : 11
File items scanned : 15458
File threats detected : 7

Trojan.Unknown Origin
c:\z_Drivers
C:\WINDOWS\..\z_Drivers

Trojan.SystemDriver
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#DriverLoad
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#DriverCheck
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#SystemDriverLoad
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#Winhost4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#ADriver
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#FDriver
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#SystemDriver

Trojan.MSDirect
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C8E56DE-8F65-4744-A90C-6E3BE24FA74E}\RP69\A0040205.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C8E56DE-8F65-4744-A90C-6E3BE24FA74E}\RP69\A0040209.SYS

Trojan.Downloader-DnlSvc
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C8E56DE-8F65-4744-A90C-6E3BE24FA74E}\RP71\A0040319.EXE

Trojan.Downloader-Gen/Searcher
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7C8E56DE-8F65-4744-A90C-6E3BE24FA74E}\RP71\A0040390.EXE

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.cadelasexy[2].txt

Logfile of HijackThis v1.99.1
Scan saved at 11:07:53, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\soffice.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Poi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://techwhims.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKCU\..\Run: [SODCPreLoad] C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080130-2132\preload.exe C:\PROGRA~1\IBM\Lotus\Symphony\data\.sodc\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

----------------------------------------------------------------------

I have deleted all the detected spyware using SUPERAntiSpyware, I did a second scan and nothing was detected.
I intend to delete the infected game emulators as well as the MAME frontends, is this this a good method of getting rid of those viruses or is it better to look for dedicated tools for each virus ?

Post #239553

RichieUK

Posted 5/16/2008 6:54 AM

Senior Forum Moderator

Group: Moderators
Last Login: Today @ 8:46 AM
Posts: 27,771, Visits: 54,579

I intend to delete the infected game emulators as well as the MAME frontends

Delete those then do the following:
Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.It does not provide an option to clean/disinfect,i need to see the scan results.
• Now click on the Save as Text button.
• Save the file to your desktop.
• Copy and paste the contents of that file into your next reply.

If the above link doesn't work,try this:
http://www.kaspersky.com/kos/english/kavwebscan.html

__________________________________________________

Proud Member of ASAP (Alliance of Security Analysis Professionals).
Proud Member of U-N-I-T-E (Unified Network of Instructors and Trusted Eliminators).

Post #239555

« Prev Topic | Next Topic »

12 posts, Page 2 of 2

««1 2

Reading This Topic

All times are GMT -6:00, Time now is 9:41am