ohnonotagain
Topic Starter
Starter
Posts: 4
Experience: Beginner
OS: Unknown
help pls
« on: November 28, 2010, 03:17:19 AM »
Capability to block access to several security-related Web sites by modifying the hosts file.
View detected locations
•
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
View detected locations
•
MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).
View detected locations
•
Capability to delete the network shares C$, ADMIN$, IPC$, etc. A network-aware worm may secure shares in order to protect itself.
View detected locations
•
• Summary of the detected memory objects:
Severity Level Memory Object
Process "svchost.exe", heap page: [0x029f0000 - 0x02a30000]
View detected characteristics
•
Process "svchost.exe", heap page: [0x02ab0000 - 0x02af0000]
•
Process "svchost.exe", heap page: [0x02af0000 - 0x02b30000]
View detected characteristics
identified by threat expert. all other scanners missed it. kept getting lost internet connection and dns errors when visiting certain websites. how do i repair this file plse thanks.
IP logged
harry 48
Egghead
Thanked: 118
Posts: 2,822
Certifications: List
Computer: Specs
Experience: Familiar
OS: Windows 7
lay back , relax and chill out
harry the handyman.wordpress.com 1 1 1 [Thanked over 50 times.]
Re: help pls
« Reply #1 on: November 28, 2010, 04:47:25 AM »
go to below and complete , post 3 logs , a malware expert will help you
http://www.computerhope.com/forum/index ... 313.0.html
IP logged
don't take life to seriously . . . no one get's out alive ! so smile and be happy
http://harrythehandyman.wordpress.com/ D.I.Y help site
ohnonotagain
Topic Starter
Starter
Posts: 4
Experience: Beginner
OS: Unknown
Re: help pls
« Reply #2 on: November 28, 2010, 12:00:36 PM »
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/28/2010 at 06:33 PM
Application Version : 4.46.1000
Core Rules Database Version : 5921
Trace Rules Database Version: 3733
Scan type : Complete Scan
Total Scan Time : 01:57:21
Memory items scanned : 742
Memory threats detected : 0
Registry items scanned : 9290
Registry threats detected : 0
File items scanned : 142118
File threats detected : 0
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5207
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975
28/11/2010 18:43:02
mbam-log-2010-11-28 (18-43-02).txt
Scan type: Quick scan
Objects scanned: 149349
Time elapsed: 6 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:54:36, on 28/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.6.11\ccSvcHst.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Real-time Defender Professional\RuleEditor.exe
C:\Program Files\WinMHR\WinMHR.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Real-time Defender Professional\Alarm.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\PROGRA~1\MICROS~2\wkcalrem.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\sniper.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PS_Alarm] C:\Program Files\Real-time Defender Professional\Alarm.exe
O4 - HKLM\..\Run: [PS_RuleEditor] C:\Program Files\Real-time Defender Professional\RuleEditor.exe
O4 - HKLM\..\Run: [Winsonar] C:\Users\nunakin\AppData\Local\Winsonar\winsonar.exe
O4 - HKCU\..\Run: [WinMHR] C:\Program Files\WinMHR\WinMHR.exe /minimize
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: Norton PC Checkup Application Launcher - Symantec Corporation - C:\Program Files\Norton PC Checkup\Engine\2.0.6.11\SymcPCCULaunchSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files\Norton PC Checkup\Engine\2.0.6.11\ccSvcHst.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8181 bytes
using vista 32bit home basic. computer is a amd athlon dual core ql 64 based laptop nvidia geoforce 8200m g 3gb ram thanks
IP logged
ohnonotagain
Topic Starter
Starter
Posts: 4
Experience: Beginner
OS: Unknown
Re: help pls
« Reply #3 on: November 28, 2010, 12:11:19 PM »
just one other thing. i have another kind of last line of defence program called trusteer rapport. it has reported the following in last week -
attempt to alter function Ldrloaddll blocked (quite a few times)
also 16 password keyword protection events (anti keylogging) activations
1 blocked cookie access event - rapport prevents the capturing of trusteer rapport cookie SESS37802e1C51708b11897d0B1f9ba86017
6 blocked screen capture events-programs are SystemExplorer.exe, Bubbles.scr, a2start.exe, dwm.exe, iexplorer.exe, Bubbles.scr
thanks in advance
IP logged
ohnonotagain
Topic Starter
Starter
Posts: 4
Experience: Beginner
OS: Unknown
Re: help pls
« Reply #4 on: November 28, 2010, 12:15:56 PM »
sorry very last thing. norton reported recently it blocked an intrusion attempt from something like a phoenix kit or something. did scan and found trojan which was removed but that might not have anything to do with this!! dear dear. what is the net coming too dont go on any dodgy sites really dont...nothing safe is it.. ???
IP logged
harry 48
Egghead
Thanked: 118
Posts: 2,822
Certifications: List
Computer: Specs
Experience: Familiar
OS: Windows 7
lay back , relax and chill out
harry the handyman.wordpress.com 1 1 1 [Thanked over 50 times.]
Re: help pls
« Reply #5 on: November 28, 2010, 12:30:58 PM »
quote; what is the net coming too dont go on any dodgy sites really dont...nothing safe is it.. true very true
read and download this http://www.mywot.com/en/download/ff lets you know good sites
sit back and wait for an expert , i cannot help with malware