PDA

View Full Version : every malware under the sun


imark
2008-05-21, 04:58
Please help
this Latop had every malware under the sun
i run spybot & updated Symantec
cleaned out what i could

unable to produce HJT LOG

only in Administrator SAFE MODE

when logged to users profile i tried to retrive HJT Log from admin profile only to be detect Log as Exploit.HTML.Mht i will try again to post

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 21, 2008 2:40:18 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788663
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 24293
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 3
Duration of the scan process: 00:29:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80000\4CFA169E.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80001\4CFA16D0.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80002\4CFA16EB.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80003\4CFA1710.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80004\4CFA171B.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80005\4CFA1730.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80006\4CFA1748.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80007\4CFA1753.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80008\4CFA1768.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80009\4CFA177C.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8000A\4CFA1791.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8000D\4CFA179C.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8000E\4CFA17B5.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8000F\4CFA17C9.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80010\4CFA17E3.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80011\4CFA17F6.VBN Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0000.VBN Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0001\4C3F8412.VBN Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0002\4C3F8463.VBN Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Holly\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Holly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Holly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Holly\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Holly\Local Settings\History\History.IE5\MSHist012008052120080522\index.dat Object is locked skipped
C:\Documents and Settings\Holly\Local Settings\Temp\~DFEB68.tmp Object is locked skipped
C:\Documents and Settings\Holly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Holly\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Holly\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0007NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0773NAV~.TMP Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\LAPTOP1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT055bd.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
imark
2008-05-21, 05:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:02 PM, on 5/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Documents\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QKeys] C:\Program Files\QKeys\QKeys.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Device\cm20.exe
O4 - HKLM\..\Run: [Start RF Wireless Keyboard] C:\Program Files\RF Wireless Device\ktrexe.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/200017272/kavwebscan_unicode.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031016/akamai.info.apple.com/iTunes4/WW/win/061-0848.20031022.TtzS4/iTunesSetup.exe
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D8FB1A3-61BC-4797-917C-7303C32FDA90}: NameServer = 192.168.40.100
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4581 bytes
tashi
2008-05-26, 08:25
Hi there,

Is this a Corporate/Business machine?

Best regards.
imark
2008-05-27, 01:23
this laptop was from a not for profit organisation.
trying to clean it up so it can be used by home user
shelf life
2008-05-29, 04:31
hi imark,


was from a not for profit organisation
i guess that means you dont have the reinstall media, to reformat/reinstall that is. since you dont know where this thing has been that would be the best option. Most likely you dont have that so....

you have run av and spybot, hjt log looks ok. looks like everything from the online scan was found in Symantecs Quarantine folder. you could get a 2nd antimalware app to scan the computer.
You do need to visit windows update ASAP to plug the holes. The download will be huge, hope you have broadband! I think you can order the CD but that would only delay it. you should also insure that all the software (as reasonably possible) is updated on the machine. this can help: http://secunia.com/software_inspector/
you could look in add/remove programs panel and uninstall software that most likely a user would install themselves, like that ipod service?
good luck
imark
2008-06-03, 09:49
Thank You Shelf Life

i now have all latest service packs & software updates thanks to secuina.

seems only issue is Norton AV keeps catching virus
a heuristic file its a registry file in a spybot snapshot folder

i delete from quarantine but it keeps coming back gets caught & quarantined again
shelf life
2008-06-04, 01:08
Hi imark,

so its putting in quarantine a file from spybots snapshot folder?
you may find this hard to believe but iam not very familiar with spybot.
i will grab a copy when iam in windows.
imark
2008-06-04, 03:27
yep in Quarintine

AV detecting as Bloodhound.Exploit.6
file is called RegDPF-Global.reg
location is C:\Documents and Settings\All Users\Application Data\Spybot - search& Destroy\Snapshot2\
shelf life
2008-06-05, 03:06
hi imark


RegDPF-Global.reg
pretty sure that has to do with SBSD tea timer, or at least a file used by Spybot- for some reason its getting flagged by your AV. can you had a exception to that file in your AV, like ignore or skip?