Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Redirect and Window Change virus


  • This topic is locked This topic is locked

#16
retired_deer

retired_deer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Well that only took forever and a day! But it worked. Here were the results:



Status: Deleted (events: 16)
9/8/2011 11:10:35 PM Deleted Trojan program Backdoor.Win32.Poison.crtb C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfattachtest.exe High
9/8/2011 11:10:43 PM Deleted Trojan program Backdoor.Win32.Poison.crsu C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfautodump.exe High
9/8/2011 11:10:49 PM Deleted Trojan program Backdoor.Win32.Poison.crsx C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfcleanmap.exe High
9/8/2011 11:10:54 PM Deleted Trojan program Backdoor.Win32.Poison.crss C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfderamp.exe High
9/8/2011 11:11:02 PM Deleted Trojan program Backdoor.Win32.Poison.crte C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfdoffsets.exe High
9/8/2011 11:11:06 PM Deleted Trojan program Backdoor.Win32.Poison.crsz C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfexpbench.exe High
9/8/2011 11:11:09 PM Deleted Trojan program Backdoor.Win32.Poison.crsw C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfflows.exe High
9/8/2011 11:11:16 PM Deleted Trojan program Backdoor.Win32.Poison.crga C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dflair.exe High
9/8/2011 11:11:20 PM Deleted Trojan program Backdoor.Win32.Poison.crtd C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfmode.exe High
9/8/2011 11:11:22 PM Deleted Trojan program Backdoor.Win32.Poison.crst C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfpause.exe High
9/8/2011 11:11:26 PM Deleted Trojan program Backdoor.Win32.Poison.crtf C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfposition.exe High
9/8/2011 11:11:32 PM Deleted Trojan program Backdoor.Win32.Poison.crsv C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfsuspend.exe High
9/8/2011 11:12:30 PM Deleted Trojan program Backdoor.Win32.Poison.crsy C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dftubefill.exe High
9/8/2011 11:12:35 PM Deleted Trojan program Backdoor.Win32.Poison.crta C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfunstuck.exe High
9/8/2011 11:12:39 PM Deleted Trojan program Backdoor.Win32.Poison.crtc C:\games\LazyNewbPack[0.31.25][V9.2]\LazyNewbPack[0.31.25][V9.2]\LNP\Utilities\C-Hacks\DFhack 0.5.15\dfweather.exe High
9/9/2011 7:51:52 AM Deleted virus HEUR:Exploit.Script.Generic C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03UA893J\cmuesal7[1].htm High






Results of system analysis

Kaspersky Virus Removal Tool 11.0.0.1245 (database released 08/09/2011; 21:10)
List of processes
File name PID Description Copyright MD5 Information
c:\program files\verizon\iha_messagecenter\bin\verizon_ihamessagecenter.exe
Script: Quarantine, Delete, BC delete, Terminate 4612 ?? 148.00 kb, rsAh,
created: 16.06.2011 13:13:20,
modified: 01.07.2011 15:01:18
Command line:
"C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe"
Detected:77, recognized as trusted 77
Module name Handle Description Copyright MD5 Used by processes
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\cfb60f99da570cc494e27e0e8ee747e2\System.Xml.ni.dll
Script: Quarantine, Delete, BC delete 1639776256 .NET Framework © Microsoft Corporation. All rights reserved. -- 4612
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll
Script: Quarantine, Delete, BC delete 1797128192 .NET Framework © Microsoft Corporation. All rights reserved. -- 4612
Modules detected:639, recognized as trusted 637
Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Windows\System32\Drivers\dump_atapi.sys
Script: Quarantine, Delete, BC delete 9278F000 008000 (32768)
C:\Windows\System32\Drivers\dump_dumpata.sys
Script: Quarantine, Delete, BC delete 92784000 00B000 (45056)
Modules detected - 150, recognized as trusted - 148
Services
Service Description Status File Group Dependencies
msiserver
Service: Stop, Delete, Disable, BC delete Windows Installer Not started C:\Windows\system32\msiexec
Script: Quarantine, Delete, BC delete rpcss
Detected - 146, recognized as trusted - 145
Drivers
Service Description Status File Group Dependencies
blbdrive
Driver: Unload, Delete, Disable, BC delete blbdrive Not started C:\Windows\system32\drivers\blbdrive.sys
Script: Quarantine, Delete, BC delete
catchme
Driver: Unload, Delete, Disable, BC delete catchme Not started C:\Users\Jeremy\AppData\Local\Temp\catchme.sys
Script: Quarantine, Delete, BC delete Base
IpInIp
Driver: Unload, Delete, Disable, BC delete IP in IP Tunnel Driver Not started C:\Windows\system32\DRIVERS\ipinip.sys
Script: Quarantine, Delete, BC delete Tcpip
MREMP50a64
Driver: Unload, Delete, Disable, BC delete MREMP50a64 NDIS Protocol Driver Not started C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS
Script: Quarantine, Delete, BC delete PNP_TDI
MRESP50a64
Driver: Unload, Delete, Disable, BC delete MRESP50a64 NDIS Protocol Driver Not started C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS
Script: Quarantine, Delete, BC delete PNP_TDI
NwlnkFlt
Driver: Unload, Delete, Disable, BC delete IPX Traffic Filter Driver Not started C:\Windows\system32\DRIVERS\nwlnkflt.sys
Script: Quarantine, Delete, BC delete NwlnkFwd
NwlnkFwd
Driver: Unload, Delete, Disable, BC delete IPX Traffic Forwarder Driver Not started C:\Windows\system32\DRIVERS\nwlnkfwd.sys
Script: Quarantine, Delete, BC delete
Detected - 245, recognized as trusted - 238
Autoruns
File name Status Startup method Description
C:\Users\Jeremy\AppData\Local\Temp\_uninst_46878702.bat
Script: Quarantine, Delete, BC delete Active Shortcut in Autoruns folder C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\, C:\Users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_46878702.lnk,
C:\WindowsSystem32\IoLogMsg.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
C:\Windows\System32\appmgmts.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll
Delete
C:\Windows\System32\igmpv2.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
C:\Windows\System32\ipbootp.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
C:\Windows\System32\iprip2.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
C:\Windows\System32\ws03res.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPNATHLP, EventMessageFile
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
C:\f0c44b52cae3eef4cd\DW\DW20.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\VSSetup, EventMessageFile
SDEvents.dll
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\Spybot - Search & Destroy 2, EventMessageFile
progman.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
vgafix.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon
Delete
vgaoem.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon
Delete
vgasys.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon
Delete
Autoruns items detected - 707, recognized as trusted - 692
Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Extension module {2670000A-7350-4f3c-8081-5663EE0C6C49}
Delete
Extension module {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
Delete
Extension module {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}
Delete
Elements detected - 14, recognized as trusted - 11
Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
IE User Assist {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}
Delete
Color Control Panel Applet {b2c761c6-29bc-4f19-9251-e6195265baf1}
Delete
Add New Hardware {7A979262-40CE-46ff-AEEE-7884AC3B6136}
Delete
Get Programs Online {3e7efb4c-faf1-453d-89eb-56026875ef90}
Delete
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Delete
ActiveDirectory Folder {1b24a030-9b20-49bc-97ac-1be4426f9e59}
Delete
ActiveDirectory Folder {34449847-FD14-4fc8-A75A-7432F5181EFB}
Delete
Sam Account Folder {C8494E42-ACDD-4739-B0FB-217361E4894F}
Delete
Sam Account Folder {E29F9716-5C08-4FCD-955A-119FDB5A522D}
Delete
Control Panel command object for Start menu {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Delete
Default Programs command object for Start menu {E44E5D18-0652-4508-A4E2-8A090067BCB0}
Delete
Folder Options {6dfd7c5c-2451-11d3-a299-00c04f8ef6af}
Delete
Explorer Query Band {2C2577C2-63A7-40e3-9B7F-586602617ECB}
Delete
View Available Networks {38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b}
Delete
Contacts folder {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}
Delete
Windows Firewall {4026492f-2f69-46b8-b9bf-5654fc07e423}
Delete
Problem Reports and Solutions {fcfeecae-ee1b-4849-ae50-685dcf7717ec}
Delete
iSCSI Initiator {a304259d-52b8-4526-8b1a-a1d6cecc8243}
Delete
.cab or .zip files {911051fa-c21c-4246-b470-070cd8df6dc4}
Delete
Windows Search Shell Service {da67b8ad-e81b-4c70-9b91b417b5e33527}
Delete
Microsoft.ScannersAndCameras {00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}
Delete
Windows Sidebar Properties {37efd44d-ef8d-41b1-940d-96973a50e9e0}
Delete
Windows Features {67718415-c450-4f3c-bf8a-b487642dc39b}
Delete
Windows Defender {d8559eb9-20c0-410e-beda-7ed416aecc2a}
Delete
Mobility Center Control Panel {5ea4f148-308c-46d7-98a9-49041b1dd468}
Delete
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
Delete
AVG Find Extension {9F97547E-460A-42C5-AE0C-81C61FFAEBC3}
Delete
Elements detected - 307, recognized as trusted - 280
Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 7, recognized as trusted - 7
Task Scheduler jobs
File name Job name Job status Description Manufacturer
Elements detected - 4, recognized as trusted - 4
SPI/LSP settings
Namespace providers (NSP)
Provider Status EXE file Description GUID
Detected - 6, recognized as trusted - 6
Transport protocol providers (TSP, LSP)
Provider EXE file Description
Detected - 18, recognized as trusted - 18
Results of automatic SPI settings check

LSP settings checked. No errors detected

TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
80 LISTENING 0.0.0.0 0 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
135 LISTENING 0.0.0.0 0 [1136] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
443 LISTENING 0.0.0.0 0 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
4165 LISTENING 0.0.0.0 0 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
10000 LISTENING 0.0.0.0 0 [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [800] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [1272] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [1312] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [864] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49183 LISTENING 0.0.0.0 0 [848] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
53091 LISTENING 0.0.0.0 0 [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
55183 CLOSE_WAIT 204.9.163.166 80 [4528] c:\program files\google\chrome\application\chrome.exe
Script: Quarantine, Delete, BC delete, Terminate
55418 ESTABLISHED 127.0.0.1 55419 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55419 ESTABLISHED 127.0.0.1 55418 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55420 ESTABLISHED 127.0.0.1 55421 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55421 ESTABLISHED 127.0.0.1 55420 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55479 ESTABLISHED 69.171.224.12 80 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55482 TIME_WAIT 64.211.203.98 80 [0]
55485 TIME_WAIT 64.211.203.75 80 [0]
55486 TIME_WAIT 64.211.203.123 80 [0]
55487 TIME_WAIT 69.171.229.39 80 [0]
55488 TIME_WAIT 69.171.224.12 80 [0]
55489 ESTABLISHED 66.220.145.39 80 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55492 TIME_WAIT 204.0.1.64 80 [0]
55493 TIME_WAIT 204.0.1.64 80 [0]
55494 TIME_WAIT 204.0.1.64 80 [0]
55495 TIME_WAIT 204.0.1.40 80 [0]
55496 TIME_WAIT 204.0.1.64 80 [0]
55497 TIME_WAIT 204.0.1.40 80 [0]
55498 TIME_WAIT 204.0.1.64 80 [0]
55499 TIME_WAIT 204.0.1.64 80 [0]
55500 TIME_WAIT 204.0.1.64 80 [0]
55501 TIME_WAIT 204.0.1.40 80 [0]
55502 TIME_WAIT 204.0.1.64 80 [0]
55503 TIME_WAIT 204.0.1.40 80 [0]
55504 TIME_WAIT 204.0.1.64 80 [0]
55505 TIME_WAIT 204.0.1.64 80 [0]
55506 TIME_WAIT 204.0.1.64 80 [0]
55507 TIME_WAIT 74.125.227.69 80 [0]
55510 TIME_WAIT 204.0.1.64 80 [0]
55511 TIME_WAIT 204.0.1.64 80 [0]
55512 TIME_WAIT 204.0.1.64 80 [0]
55559 TIME_WAIT 66.59.66.6 80 [0]
55560 TIME_WAIT 74.125.227.70 80 [0]
55561 TIME_WAIT 74.125.45.100 80 [0]
55566 TIME_WAIT 38.110.160.113 24383 [0]
55569 TIME_WAIT 66.59.66.6 80 [0]
55571 TIME_WAIT 131.247.9.134 49883 [0]
55573 TIME_WAIT 213.146.189.206 12350 [0]
55575 TIME_WAIT 213.146.189.206 12350 [0]
55584 TIME_WAIT 78.141.177.111 12350 [0]
55598 ESTABLISHED 204.0.87.97 80 [1724] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
55599 TIME_WAIT 96.41.53.214 43686 [0]
55601 ESTABLISHED 63.97.123.73 80 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55602 TIME_WAIT 212.161.8.3 12350 [0]
55604 ESTABLISHED 184.25.210.161 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55605 ESTABLISHED 184.30.15.139 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55606 ESTABLISHED 74.125.47.95 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55607 TIME_WAIT 212.161.8.3 12350 [0]
55615 TIME_WAIT 78.141.181.220 34002 [0]
55617 ESTABLISHED 213.166.51.4 33033 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55619 ESTABLISHED 66.59.66.6 80 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55620 ESTABLISHED 66.59.66.6 80 [5332] c:\program files\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate
55621 ESTABLISHED 169.229.97.131 56068 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55622 TIME_WAIT 213.146.189.204 12350 [0]
55624 CLOSE_WAIT 204.9.163.156 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55626 ESTABLISHED 213.146.189.204 12350 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55627 ESTABLISHED 69.171.228.20 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55628 ESTABLISHED 74.125.227.91 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
55630 ESTABLISHED 184.51.37.195 443 [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
443 LISTENING -- -- [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1312] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
3702 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4165 LISTENING -- -- [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1312] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1724] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
44301 LISTENING -- -- [3376] c:\windows\system32\pnkbstra.exe
Script: Quarantine, Delete, BC delete, Terminate
50000 LISTENING -- -- [4612] c:\program files\verizon\iha_messagecenter\bin\verizon_ihamessagecenter.exe
Script: Quarantine, Delete, BC delete, Terminate
50049 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
50796 LISTENING -- -- [1312] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
53091 LISTENING -- -- [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
54637 LISTENING -- -- [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
54638 LISTENING -- -- [2432] c:\program files\utorrent\utorrent.exe
Script: Quarantine, Delete, BC delete, Terminate
54835 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
54836 LISTENING -- -- [1532] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
56257 LISTENING -- -- [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
62193 LISTENING -- -- [12] c:\program files\skype\phone\skype.exe
Script: Quarantine, Delete, BC delete, Terminate
Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 3, recognized as trusted - 3
Control Panel Applets (CPL)
File name Description Manufacturer
Elements detected - 22, recognized as trusted - 22
Active Setup
File name Description Manufacturer CLSID
Elements detected - 9, recognized as trusted - 9
HOSTS file
Hosts file record

яю1

Clear Hosts file
Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Delete
Elements detected - 20, recognized as trusted - 17
Suspicious objects
File Description Type

Main script of analysis
Windows version: Windows Vista ™ Home Basic, Build=6001, SP="Service Pack 1"
System Restore: enabled
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00C90010<>75DC1C36
IAT modification detected: GetModuleFileNameA - 00C90080<>75E04625
IAT modification detected: FreeLibrary - 00C900F0<>75E00B10
IAT modification detected: GetModuleFileNameW - 00C90160<>75E05AF5
IAT modification detected: CreateProcessW - 00C901D0<>75DC1C01
IAT modification detected: LoadLibraryW - 00C902B0<>75DE382D
IAT modification detected: LoadLibraryA - 00C90320<>75DE9671
IAT modification detected: GetProcAddress - 00C90390<>75E0BAC6
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=137B00)
Kernel ntkrnlpa.exe found in memory at address 82233000
SDT = 8236AB00
KiST = 822EB940 (391)
Functions checked: 391, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
CmpCallCallBacks = 00000000
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
1.5 Checking of IRP handlers
Driver loaded successfully
Checking - complete
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress

System Analysis - complete


Script commands

Add commands to script:

Blocking hooks using Anti-Rootkit
Enable AVZGuard
Operations with AVZPM (true=enable,false=disable)
BootCleaner - import list of deleted files
BootCleaner - import all
Registry cleanup after deleting files
ExecuteWizard ('TSW',2,3,true) - Running Troubleshooting wizard
BootCleaner - activate
Reboot
Insert template for QuarantineFile() - quarantining file
Insert template for BC_QrFile() - quarantining file via BootCleaner
Insert template for DeleteFile() - deleting file
Insert template for DelCLSID() - deleting CLSID item from registry

Additional operations:

Performance tweaking: disable service TermService (Terminal Services)
Performance tweaking: disable service SSDPSRV (SSDP Discovery)
Performance tweaking: disable service Schedule (Task Scheduler)
Security tweaking: disable CD autorun
Security tweaking: disable administrative shares
Security tweaking: disable anonymous user access
Security: disable sending Remote Assistant queries


File list
  • 0

Advertisements


#17
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Are the redirects still evident?
  • 0

#18
retired_deer

retired_deer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
No, everything seems to be running smoothly. Thanks a million!
  • 0

#19
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Your logs shows that your system is clean. If you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.

Removing the tools we used:

Reset System Restore points:

  • Please reopen Posted Image on your desktop.
  • Copy (select all lines inside quote box and press CTRL+C) and Paste (press CTRL+V) the following code into the Posted Image textbox.

    :Commands
    [ClearAllRestorePoints]

  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.

NEXT...

OTL Clean-Up:

  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


There are a few things I recommend you to do once your computer is completely clean:

Updates for Windows - One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

How to turn on Automatic Updates for Windows:

Updates for other installed software

A common attack method for hacking attempts and malware installs is to exploit known vulnerabilities in programs that are commonly installed on a person's computer. These vulnerabilities could allow a remote user or malware developer to install malware, keyloggers, and backdoors on to your computer without your knowledge or permission.
Some of the programs that are commonly exploited include Adobe Shockwave, Adobe Reader, Sun Java, Adobe Flash, and even Windows itself. Therefore it is crucial that everyone remain vigilant as to when a security vulnerability is found in our installed programs and to update it when a security update is released. Unfortunately, no one has the time to stay on top of these updates, which can happen frequently.

I highly recommend you to install Secunia Personal Software Inspector (PSI) that can be used to scan your computer for known vulnerable programs, provide information on the vulnerability, and provide a location to an update for the vulnerable program. A tutorial on how to use Secunia Personal Software Inspector (PSI) can be found here: Keep Software Updated with Secunia PSI.

Web Browsers - Picking the right internet browser is very important. You need to find one that suits your needs but that is also safe. All browsers listed below are far more secure than Internet Explorer, immune to almost all known browser hijackers, and also have the best built-in pop up blockers.

Although, if you prefer staying with Internet Explorer I highly recommend you do this :

Make Internet Explorer more secure:
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the options Download signed and unsigned ActiveX controls to Prompt, and Initialize and Script ActiveX controls not marked as safe to Disable.
  • Next click OK, then Apply button and then OK to exit the Internet Properties page.

Tips to protect yourself against malware and reduce the potential for re-infection:

Now after all these steps, your PC will be more secure. However it is important to note that you can still get infected if you are not careful. One of the best security programs you can have is common sense. As malware gets more sophisticated, you need to be more wary. If you do get caught though and the above steps can't help prevent it, we will be here to help you out.

Stay secure and thank you for choosing GeeksToGo.
  • 0

#20
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP