• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[LOG] Client laptop
#1
I had a laptop in for virus removal the other day, it was probably one of the worst i've come across. When it arrived, booting in to the Windows enviroment wasn't an option, once you logged in you were presented with a serious amount of pop ups, fake programs etc and after around 3 seconds it'd just hang and quit explorer, forcing a reboot.

So i got to work with the good old safe mode where i ran multiple scans, i actually ended up running about 4 mbam scans, with ALL of them picking up hundreds of infections, here's just an example of one scan.

[Image: mbam1.jpg]
[Image: mbam2.jpg]
[Image: mbam3.jpg]

Booted into safe mode
msconfig, removed crap
mbam scan
Reboot
Booted into safe mode
mbam scan
Reboot
Booted into normal mode
mbam scan
Reboot
Booted into normal mode
Avira scan

Serious amount of program removal, add / remove programs.

Then i ran a HJT and created this log. The main problems are gone but i can almost guarantee this log contains something suspicious.

[code=HJT]
Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 22:03:33, on 10/11/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Creative\Mixer\CTSVolFE.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\VoyagerTest\fts.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\NetWaiting\netWaiting.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Dell Network Assistant\ezi_hnm2.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Documents and Settings\John\Desktop\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5061206

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=5061206

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 urs.microsoft.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O3 - Toolbar: (no name) - {BFB5F154-9212-46F3-B547-AC6106030A54} - (no file)

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Dell Network Assistant.lnk = ?

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: OFM Manager Bar - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: OFM Manager Bar - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared...insctl.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - AppInit_DLLs: C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL

O20 - Winlogon Notify: 40d23e18891 - C:\WINDOWS\SYSTEM32\DXTMSFT32.DLL (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe

O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (file missing)

O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)

O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\Program Files\McAfee\MPF\MPFSrv.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe



--

End of file - 11508 bytes

[/code]
  Reply
#2
Scan with Malwarebytes is the answer to everything.

"How do I know if my girlfriend is pregnant?"

Scan with Malwarebytes

"How can I tell how big my pension will be?"

Scan with Malwarebytes

"What's good for cleaning up a murder?"

Scan with Malwarebytes.



Dylan had a lot of infections, what do you think he was doing to get all those? Tongue
They see me trollin', they hatin'.
  Reply
#3
Let me guess, was he scanning with Malwarebytes?
  Reply
#4
(13-11-2010, 12:09 AM)Mark Wrote: Let me guess, was he scanning with Malwarebytes?

Now THAT is funny.
Having long hair is great until you have to pull a footlong out of the dog's butt. flatank.blogspot.com
I. AM. LATCH.
  Reply
#5
I don't know why you went through the process of removing. Fresh install!
[Image: nomnomnom.jpg]
;7$=v?%v%#5>v7v8994
The decrypt code is V, I could not make it any simpler!
  Reply
#6
(13-11-2010, 10:51 AM)Drumm Wrote: I don't know why you went through the process of removing. Fresh install!

I used to work at Gateway and that is the lazy way to do it. You have archive all your stuff. You then have to reinstall all of your software. You lose all your settings and everything is out of place. Oh yeah, drivers, activation, require the internet and if you didn't preload the drivers, sometimes windows won't let you back in after reboot. Irritating. Start all over or pop another Ethernet card in there that windows will recognize, but that won't work if its a laptop.

Sometimes, its all gummed up and you have to reload when its acting wonky, but most of the time it can be repaired.
Having long hair is great until you have to pull a footlong out of the dog's butt. flatank.blogspot.com
I. AM. LATCH.
  Reply
#7
When it's my own machine, I don't mind so much. I can see your reasoning when applied to somebody else's laptop though.
[Image: nomnomnom.jpg]
;7$=v?%v%#5>v7v8994
The decrypt code is V, I could not make it any simpler!
  Reply
#8
(13-11-2010, 05:52 PM)Drumm Wrote: When it's my own machine, I don't mind so much. I can see your reasoning when applied to somebody else's laptop though.

I do it for a living. A reload presents all kinds of ways for things to go wrong. One time, I reloaded a client's box and backed up all her stuff- like 20gigs. Then she said, "Did you get my fonts?" No, I didn't get her fonts. It's not included in a standard backup. Another dude is unable to log into his MSN Explorer unless I bring MSN Messenger up to date and he has got to have that working or he's lost. One icon out of place and some people are all but emasculated.

I give my clients impeccable service and I will return to fix problems at no additional charge. The aforementioned are examples of things that can be avoided by option not to reload.
Having long hair is great until you have to pull a footlong out of the dog's butt. flatank.blogspot.com
I. AM. LATCH.
  Reply
#9
Quote:You have archive all your stuff. You then have to reinstall all of your software. You lose all your settings and everything is out of place. Oh yeah, drivers, activation, require the internet and if you didn't preload the drivers, sometimes windows won't let you back in after reboot. Irritating.

I'd have to go through the process of backing up stuff, (probably containing viruses). They also had some ancient software and print drivers on there as well as 3 user accounts that'll all have their own set up, i'm sure they've customised. When it's someone else's it's way too much trouble getting it back to how it was and usually takes longer than a loads of scans and tweaking.

If it was my own box though, i'd of started fresh.
  Reply
#10
Wowwww hahah i've never seen one that infected, the most infections ive ever seen is like 10 at most. Usually now days 1 virus is bad enough to fuck the rest of your pc especially if you download one of those fake anti virus programs with a root kit attached.
[Image: i54vt3.jpg]
  Reply


Forum Jump: