Jump to content


Photo

A follow-up...


  • Please log in to reply
3 replies to this topic

#1 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 24 June 2007 - 05:53 PM

...couple of weeks ago the laptop was cleaned of all little nasties, thanks to the help of the kind folks here at the board. Afterwards, I went about trying to manually remove a tryout of Office 2007 I didn't like... the uninstall files were corrupted and I ended up picking out all the files I could Then I had to restore Office 2003 using file I picked up through dubious means. Office 2003 is reinstalled and working now, but I want to make sure that nothing malicious got added in the process. I see nothing obvious, but I'll leave that decision to the experts. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:28:16 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AusLogics BoostSpeed\boostspeed.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1177679059457
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

jeff

And a followup to this followup: yeah, I picked up a trojan or two, it looks like. S&D is working on the compute now, and I will post the AVG log shortly.

#2 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 24 June 2007 - 06:04 PM

Oops, computer problems at work... this reply was a mistake, see the one below.

Jeff

Edited by vicvalis, 24 June 2007 - 07:08 PM.


#3 vicvalis

vicvalis

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 24 June 2007 - 06:06 PM

Okay, I recognize a few names from the AVG log. I followed the recommendations and let AVG take care of the problems as it liked:

-------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:48:17 PM 6/24/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\system32\awtrqqq.dll.vir -> Adware.Virtumonde : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\system32\efcaxvv.dll.vir -> Adware.Virtumonde : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\system32\fcccbbx.dll.vir -> Adware.Virtumonde : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\system32\gebxyvu.dll.vir -> Adware.Virtumonde : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnnmn.dll.vir -> Adware.Virtumonde : Ignored.
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqqpqo.dll.vir -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP117\A0018612.dll -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP117\A0018613.dll -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP117\A0018614.dll -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP117\A0018615.dll -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP117\A0018616.dll -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP117\A0018617.dll -> Adware.Virtumonde : Ignored.
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vmqoit1q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vmqoit1q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vmqoit1q.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.32:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vmqoit1q.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vmqoit1q.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vmqoit1q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vmqoit1q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\SDFix\backups_old1\backups.zip/backups/win55.tmp.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D46C45C2-E6BE-497F-8627-18D90129F831}\RP117\A0018574.dll -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__w_i_n_k_z_r_3_2_._d_l_l_ -> Trojan.Dialer.qn : Cleaned with backup (quarantined).


::Report end

I also have Norton antivirus from my workplace and it's going after a fe of the same problems.

jeff

#4 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 27 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button