MarshalK
-
Content Count
8 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by MarshalK
-
-
WVCheck log:
Windows Validation Check
Version: 1.9.12.5
Log Created On: 1720_03-05-2011
-----------------------
Windows Information
-----------------------
Windows Version: Windows XP Service Pack 3
Windows Mode: Normal
Systemroot Path: C:\WINDOWS
WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Download updates and install them automatically.
-----------------------
Last Success Time for Update Detection: 2011-05-03 20:39:17
Last Success Time for Update Download: 2011-04-27 02:21:26
Last Success Time for Update Installation: 2011-04-27 07:02:34
WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------
WVCheck's File Dump
-----------------------
WVCheck found no known bad files.
WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.
WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.
WVCheck's MBAM Quarantine Check
-----------------------
There were no bad files quarantined by MBAM.
WVCheck's HOSTS File Check
-----------------------
WVCheck found no bad lines in the hosts file.
WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - b26b135ff1b9f60c9388b4a7d16f600b
-------- End of File, program close at 1723_03-05-2011 --------
-
I will run the WVCheck and the GMER next - please let me know if I am over posting or if you want more info.
Thank you
-
CKScanner:
CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----
-
Locksearch:
LockSearch by jpshortstuff (05.11.09.1)
Log created at 16:02 on 03/05/2011 (AP2010)
Scanning C:\
C:\hiberfil.sys
-------------------------
C:\pagefile.sys
-------------------------
-=E.O.F=-
-
Rooter:
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 2 Stepping 5, GenuineIntel
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[sharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:157 Go )
F:\ [Network] .. ( Total:76 Go - Free:16 Go )
G:\ [Network] .. ( Total:76 Go - Free:16 Go )
H:\ [Network] .. ( Total:76 Go - Free:16 Go )
I:\ [Network] .. ( Total:76 Go - Free:16 Go )
J:\ [Network] .. ( Total:76 Go - Free:16 Go )
K:\ [Network] .. ( Total:76 Go - Free:16 Go )
L:\ [Network] .. ( Total:76 Go - Free:16 Go )
M:\ [Network] .. ( Total:76 Go - Free:16 Go )
N:\ [Network] .. ( Total:76 Go - Free:16 Go )
O:\ [Network] .. ( Total:76 Go - Free:16 Go )
P:\ [Network] .. ( Total:76 Go - Free:16 Go )
S:\ [CD_Rom]
U:\ [Network] .. ( Total:76 Go - Free:16 Go )
Y:\ [Network] .. ( Total:76 Go - Free:16 Go )
Z:\ [Network] .. ( Total:76 Go - Free:16 Go )
.
Scan : 16:00.22
Path : U:\Desktop\Rooter.exe
User : AP2010 ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [system Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (932)
______ \??\C:\WINDOWS\system32\csrss.exe (996)
______ \??\C:\WINDOWS\system32\winlogon.exe (1020)
______ C:\WINDOWS\system32\services.exe (1068)
______ C:\WINDOWS\system32\lsass.exe (1080)
______ C:\WINDOWS\system32\svchost.exe (1308)
______ C:\WINDOWS\system32\svchost.exe (1380)
______ C:\WINDOWS\System32\svchost.exe (1508)
______ C:\WINDOWS\system32\svchost.exe (1652)
______ C:\WINDOWS\system32\svchost.exe (1768)
______ C:\WINDOWS\system32\spoolsv.exe (1912)
______ C:\WINDOWS\system32\svchost.exe (176)
______ C:\Program Files\Symantec\pcAnywhere\awhost32.exe (352)
______ C:\Program Files\Java\jre6\bin\jqs.exe (496)
______ C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (640)
______ C:\Program Files\LogMeIn\x86\RaMaint.exe (952)
______ C:\Program Files\LogMeIn\x86\LogMeIn.exe (1092)
______ C:\WINDOWS\system32\nvsvc32.exe (1560)
______ C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (1640)
______ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (2004)
______ C:\WINDOWS\system32\svchost.exe (2032)
______ C:\Program Files\UPHClean\uphclean.exe (212)
______ C:\WINDOWS\system32\SearchIndexer.exe (296)
______ C:\WINDOWS\System32\alg.exe (2276)
______ C:\Program Files\LogMeIn\x86\LogMeIn.exe (3596)
______ C:\WINDOWS\Explorer.EXE (2628)
______ C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (764)
______ C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (1592)
______ C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (1488)
______ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (2208)
______ C:\Program Files\Trend Micro\Client Server Security Agent\TMAS_OE\TMAS_OEMon.exe (3608)
______ C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (2756)
______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (2800)
______ C:\Program Files\Aladdin Systems\iClean\iClean.exe (2928)
______ C:\WINDOWS\system32\ctfmon.exe (2956)
______ C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (636)
______ C:\Program Files\Trend Micro\Client Server Security Agent\Misc\xpupg.exe (3192)
______ C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe (3088)
______ C:\WINDOWS\system32\igfxsrvc.exe (3800)
______ C:\Program Files\Internet Explorer\iexplore.exe (2528)
______ C:\Program Files\Internet Explorer\iexplore.exe (1624)
______ C:\Program Files\Internet Explorer\iexplore.exe (3672)
______ U:\Desktop\Rooter.exe (3284)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:250056705024)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 16:00.27
.
U:\Rooter$\Rooter_1.txt - (03/05/2011 | 16:00.27)
-
Mbam Log after quick scan (I actually ran a full scan before visiting this site - here is the short version )
5/3/2011 12:06 PM
Scan type: Full scan (C:\|)
Objects scanned: 573511
Time elapsed: 44 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3
Then I ran the quickscan as per your instructions:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6499
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/3/2011 3:20:16 PM
mbam-log-2011-05-03 (15-20-16).txt
Scan type: Quick scan
Objects scanned: 190854
Time elapsed: 3 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\TEMP\application data\cleanhdd.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\cleanhdd.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
-
We are having an issue where when we search in google, yahoo, etc. the search resolves to a malicious site (blocked by Trend Micro Worry Free Standard - Version 6.3)
I ran malwarebytes originally (before I found this site) and it removed a few problems - then, following your check list I ran the ERUNT, OTM and Malwarebytes again. Mbam found some more of the same and I am also in a conversation with them as the software (version 6499 will not update to 6500. It gives the following error: PROGRAM_ERROR_UPDATING (0, 0, SGRegGetPath).
Here is the OTM log:
All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
U:\Desktop\cmd.bat deleted successfully.
U:\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 36012 bytes
->Temporary Internet Files folder emptied: 82389 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 456 bytes
User: administrator.TITLECO
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: All Users
User: Andy
->Temp folder emptied: 37233 bytes
->Temporary Internet Files folder emptied: 54605 bytes
->Java cache emptied: 0 bytes
User: AP2010
->Temp folder emptied: 107610326 bytes
->Temporary Internet Files folder emptied: 3326689 bytes
->Java cache emptied: 2945856 bytes
->Flash cache emptied: 43323 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes
User: TEMP
->Temp folder emptied: 596864 bytes
->Temporary Internet Files folder emptied: 122814 bytes
->Java cache emptied: 3340912 bytes
->Flash cache emptied: 43443 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33691441 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 87194216 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 231.00 mb
Restore point Set: OTM Restore Point (0)
OTM by OldTimer - Version 3.1.17.2 log created on 05032011_141901
Files moved on Reboot...
Registry entries deleted on Reboot...
Rootkit infestation? redirct search engines
in Malware Removal
Posted
Please close this log as I am receiving help via another route. Thank you.