Possible Botnet?

View previous topic View next topic Go down

Solved Possible Botnet?

Post by shockzors on 22nd February 2009, 7:02 pm

Okay well I play Runescape time to time and play runescape private servers sometimes too. On startup I found cache.jar in the directory C:\windows\.jagex_cache_32\Runescape\cache.jar

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:19 PM, on 22/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Tay\Desktop\Rapidshare Downloader\RapidShare Plus.exe
C:\Documents and Settings\Tay\Desktop\Firefox Optimizer\Firefox Ultimate Optimizer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 172.16.1.254 abc ---------- I MADE THIS!
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [FirefoxUltimateOptimizer] "C:\Documents and Settings\Tay\Desktop\Firefox Optimizer\Firefox Ultimate Optimizer.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download All with Rapidshare Downloader - C:\DOCUME~1\Tay\LOCALS~1\Temp\RarSFX1\jc_all.htm
O8 - Extra context menu item: &Download with Rapidshare Downloader - C:\DOCUME~1\Tay\LOCALS~1\Temp\RarSFX1\jc_link.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} (VaxSIPUserAgentCAB Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - [You must be registered and logged in to see this link.]
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0094631232312696) (0094631232312696mcinstcleanup) - Unknown owner - C:\DOCUME~1\Tay\LOCALS~1\Temp\009463~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: RuneScape - the massive online adventure game by Jagex Ltd - [You must be registered and logged in to see this link.]
O24 - Desktop Component 2: Play Games, Free Online Games at AddictingGames - [You must be registered and logged in to see this link.]

--
End of file - 8309 bytes

P.S. I deleted the cache.jar and decompiled it. Found it does some sort of connection to a no-ip.org and doesn't have the ability to update.

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 7:06 pm

Hello.
Please don't put logs in code tags, it makes it hard to read for me. I have removed the tags.
The log looks okay aside from this:

O1 - Hosts: 172.16.1.254 abc ---------- I MADE THIS!

Did you actually do that?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 7:07 pm

ya oh lol thats my ip Goofy

oops I found a guide to redirect and I always hate having to find my ip everytime I want to edit my modem/router config

the abc redirect didn't work anyway I just deleted it

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 7:10 pm

Ah. Only checking, malware could do this to fool helpers into believing what could be malicious is actually legit.

cache.jar is just the java cache, we can flush the cache if needed. Lets make sure nothing is hiding.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 7:12 pm

DDS (Ver_09-02-01.01) - NTFSx86
Run by Tay at 13:11:59.57 on 22/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.537 [GMT -6:00]

FW: COMODO Firewall Pro *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Tay\Desktop\Rapidshare Downloader\RapidShare Plus.exe
C:\Documents and Settings\Tay\Desktop\Firefox Optimizer\Firefox Ultimate Optimizer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tay\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
uInternet Settings,ProxyOverride = *.local
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\smax4.exe" /tray
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [FirefoxUltimateOptimizer] "c:\documents and settings\tay\desktop\firefox optimizer\Firefox Ultimate Optimizer.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\tay\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
uPolicies-explorer: MemCheckBoxInRunDlg = 0 (0x0)
uPolicies-explorer: NoStrCmpLogical = 0 (0x0)
mPolicies-explorer: NoChangeAnimation = 0 (0x0)
mPolicies-explorer: NoStrCmpLogical = 0 (0x0)
mPolicies-system: RunStartupscriptSync = 1 (0x1)
IE: &Download All with Rapidshare Downloader - c:\docume~1\tay\locals~1\temp\rarsfx1\jc_all.htm
IE: &Download with Rapidshare Downloader - c:\docume~1\tay\locals~1\temp\rarsfx1\jc_link.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} - [You must be registered and logged in to see this link.]
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - [You must be registered and logged in to see this link.]
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - [You must be registered and logged in to see this link.]
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tay\applic~1\mozilla\firefox\profiles\5ovgsh31.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\tay\application data\mozilla\firefox\profiles\5ovgsh31.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07083161.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-18 206096]
R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [2007-4-21 9344]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\shldrv51.sys --> c:\windows\system32\drivers\ShlDrv51.sys [?]
S2 0094631232312696mcinstcleanup;McAfee Application Installer Cleanup (0094631232312696);c:\docume~1\tay\locals~1\temp\009463~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\tay\locals~1\temp\009463~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\pavproc.sys --> c:\windows\system32\drivers\PavProc.sys [?]
S3 HIDKbFlt;Dritek USB Keyboard HID Filter;c:\windows\system32\drivers\HIDKbFlt.sys [2004-12-13 21120]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2008-5-17 25088]
S3 XDva193;XDva193;\??\c:\windows\system32\xdva193.sys --> c:\windows\system32\XDva193.sys [?]
S4 PavPrSrv;Panda Process Protection Service;"c:\program files\common files\panda software\pavshld\pavprsrv.exe" --> c:\program files\common files\panda software\pavshld\pavprsrv.exe [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-21 23:31 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-21 23:31 1,409 a------- c:\windows\QTFont.for
2009-02-20 21:20 --d----- c:\program files\Alcohol Soft
2009-02-20 16:20 --d----- c:\windows\.file_store_33
2009-02-20 16:19 --d----- c:\windows\New Folder
2009-02-20 15:53 --d----- c:\windows\.file_store_32
2009-02-19 21:22 --d----- C:\cache525
2009-02-18 21:41 737,280 a------- c:\windows\iun6002.exe
2009-02-18 21:41 --d----- c:\program files\JFrameBuilder
2009-02-16 20:58 --d----- c:\windows\RegisteredPackages
2009-02-15 17:22 --d----- c:\program files\Hamachi
2009-02-15 12:32 --d----- c:\program files\Garena
2009-02-15 12:31 --d----- c:\program files\Left 4 Dead
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-04 20:49 --d----- c:\program files\Steam
2009-02-04 20:37 --d----- c:\windows\system32\DirectX
2009-02-04 20:13 --d----- c:\windows\system32\directx(2)
2009-02-04 20:12 --d----- c:\windows\LastGood(2)
2009-02-04 20:10 --d----- c:\windows\system32\$DXE_V2$
2009-02-04 18:04 175,386 a------- C:\A_vector_wallpaper_by_blajano.JPG
2009-02-04 11:58 --d----- c:\windows\system32\xlive
2009-02-04 11:58 --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-02-03 22:56 --d----- c:\documents and settings\tay\riotscape.comv4
2009-01-31 22:29 --d----- c:\documents and settings\tay\.thumbnails
2009-01-31 22:11 --d----- c:\documents and settings\tay\.gimp-2.6
2009-01-31 22:11 --d----- c:\documents and settings\tay\.gegl-0.0
2009-01-31 21:35 --d----- c:\program files\GIMP-2.0
2009-01-30 21:33 --d----- c:\documents and settings\tay\wtfhacker.com
2009-01-29 18:52 --d----- c:\docume~1\tay\applic~1\godzHell
2009-01-26 20:02 --d----- c:\program files\GnuWin32
2009-01-24 18:35 0 a---h--- c:\windows\SwSys2.bmp
2009-01-24 18:35 0 a---h--- c:\windows\SwSys1.bmp
2009-01-24 18:34 --d----- c:\program files\Game_Maker7

==================== Find3M ====================

2009-02-20 18:09 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-02-20 15:51 34 a------- c:\documents and settings\tay\jagex_runescape_preferences.dat
2009-02-15 17:22 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-14 01:14 3,455,488 a------- c:\windows\system32\drivers\ati2mtag.sys
2009-01-13 23:46 11,591,680 a------- c:\windows\system32\atioglxx.dll
2009-01-13 22:53 286,720 a------- c:\windows\system32\atiok3x2.dll
2009-01-13 22:49 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2009-01-13 22:47 323,584 a------- c:\windows\system32\ati2dvag.dll
2009-01-13 22:36 196,608 a------- c:\windows\system32\atipdlxx.dll
2009-01-13 22:36 151,552 a------- c:\windows\system32\Oemdspif.dll
2009-01-13 22:36 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-01-13 22:35 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-01-13 22:35 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-01-13 22:34 598,016 a------- c:\windows\system32\ati2evxx.exe
2009-01-13 22:32 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-01-13 22:22 4,009,152 a------- c:\windows\system32\ati3duag.dll
2009-01-13 22:05 2,500,224 a------- c:\windows\system32\ativvaxx.dll
2009-01-13 21:50 48,640 a------- c:\windows\system32\amdpcom32.dll
2009-01-13 21:45 401,408 a------- c:\windows\system32\atikvmag.dll
2009-01-13 21:44 110,592 a------- c:\windows\system32\atiadlxx.dll
2009-01-13 21:44 17,408 a------- c:\windows\system32\atitvo32.dll
2009-01-13 21:43 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-01-13 21:37 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-01-13 21:37 577,536 a------- c:\windows\system32\ati2cqag.dll
2009-01-13 21:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2009-01-13 20:36 45,056 a------- c:\windows\system32\amdcalrt.dll
2009-01-13 20:36 45,056 a------- c:\windows\system32\amdcalcl.dll
2009-01-13 20:34 3,227,648 a------- c:\windows\system32\Amdcaldd.dll
2008-12-26 01:03 2,855 a------- c:\windows\system32\Standby.PIF
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-05 20:59 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-01 14:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-01 14:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 14:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-06-27 20:45 87,608 a------- c:\docume~1\tay\applic~1\inst.exe
2008-06-27 20:45 47,360 a------- c:\docume~1\tay\applic~1\pcouffin.sys
2008-04-28 20:46 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-04-16 14:17 1,015,808 a------- c:\documents and settings\tay\WOWMimic.exe
2008-04-16 14:16 462,848 a------- c:\documents and settings\tay\Melete.dll
2008-04-09 10:44 81,920 a------- c:\documents and settings\tay\Launcher.exe
2008-04-09 10:44 77,824 a------- c:\documents and settings\tay\AutoUpdate.exe
2008-06-19 16:19 80 ---shr-- c:\windows\system32\2171035541.dll
2008-05-30 22:16 56 ---shr-- c:\windows\system32\2171035541.sys
2008-05-30 22:18 1,682 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:12:15.51 ===============


Btw that wtfhacker.com thing is a cache from a server. I'm not sure if it's all that safe but I can delete it cause i don't play the server

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 7:15 pm

Hello.
DDS says Comodo Firewall is disabled, did you do this because it blocks your connection to runescape?

Also, do you know what this file is?
C:\A_vector_wallpaper_by_blajano.JPG

Other than that, the log looks fine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 7:17 pm

I don't have comodo firewall installed anymore

and that vector wallpaper is my background I keep em in my harddrive so they don't clutter my folders

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 7:22 pm

Okay.
The log looks fine, I'm not seeing any malware here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 7:25 pm

okay well I think it probably was a botnet but it wasn't disabled on startup it was just in the startup registry or w/e and I never ran it either but now it's deleted so it should be kay

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 7:29 pm

Lets see what you disabled.

  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
    regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
    regedit /e peek3.txt "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services"
    type peek1.txt >> look.txt
    type peek2.txt >> look.txt
    type peek3.txt >> look.txt
    del peek*.txt
    start notepad look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 7:47 pm

No i mean in msconfig startup the "Runescape Cache" wasn't enabled by default. If I wanted it to run on startup i would have to go in and click enable. I didn't touch the file until I noticed it today and deleted it but take a look

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\GameXL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gamexl"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Game Accelerator\\gamexl.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Google Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Google Update"
"hkey"="HKCU"
"command"="\"C:\\Documents and Settings\\Tay\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe\" /c"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lphcclej0ej2n]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lphcclej0ej2n"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\lphcclej0ej2n.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="QuickTime Task"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RuneScape Cache]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RuneScape Cache"
"hkey"="HKLM"
"command"="C:/windows/.jagex_cache_32/runescape/cache.jar"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SMrhc9lej0ej2n]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rhc9lej0ej2n"
"hkey"="HKLM"
"command"="C:\\Program Files\\rhc9lej0ej2n\\rhc9lej0ej2n.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Somefox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="setup1066"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Tay\\LOCALS~1\\Temp\\setup1066.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="steam"
"hkey"="HKCU"
"command"="\"c:\\program files\\steam\\steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UnlockerAssistant]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UnlockerAssistant"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\w3dr.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="w3dr.exe"
"hkey"="HKLM"
"command"="C:\\Program Files\\Warcraft III\\w3dr.exe"
"inimapping"="0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Tay^Start Menu^Programs^Startup^hamachi.lnk]
"item"="hamachi"
"path"="C:\\Documents and Settings\\Tay\\Start Menu\\Programs\\Startup\\hamachi.lnk"
"backup"="C:\\WINDOWS\\pss\\hamachi.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Hamachi\\hamachi.exe "

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VMware NAT Service"=dword:00000002
"VMnetDHCP"=dword:00000002
"VMAuthdService"=dword:00000002
"ufad-ws60"=dword:00000003
"PavPrSrv"=dword:00000002
"HamachiService"=dword:00000002
"FLEXnet Licensing Service"=dword:00000003
"idsvc"=dword:00000003

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 7:54 pm

Hello.
Thanks, there is presence of malware disabled.
I want to make sure it's gone.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\Documents and Settings\Tay\Desktop\dds.scr
    C:\Documents and Settings\Tay\Desktop\look.bat
    C:\Documents and Settings\Tay\Desktop\look.txt
    C:\WINDOWS\system32\lphcclej0ej2n.exe
    C:\Program Files\rhc9lej0ej2n\rhc9lej0ej2n.exe

    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lphcclej0ej2n]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SMrhc9lej0ej2n]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Somefox]

    :commands
    [emptytemp]
    [reboot]


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 7:59 pm

========== FILES ==========
File/Folder C:\Documents and Settings\Tay\Desktop\dds.scr not found.
File/Folder C:\Documents and Settings\Tay\Desktop\look.bat not found.
File/Folder C:\Documents and Settings\Tay\Desktop\look.txt not found.
File/Folder C:\WINDOWS\system32\lphcclej0ej2n.exe not found.
File/Folder C:\Program Files\rhc9lej0ej2n\rhc9lej0ej2n.exe not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lphcclej0ej2n\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SMrhc9lej0ej2n\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Somefox\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Tay\LOCALS~1\Temp\hsperfdata_Tay\3644 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Tay\LOCALS~1\Temp\etilqs_u5onkMPj80SMUkvMr653 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Tay\LOCALS~1\Temp\flaEA.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Tay\LOCALS~1\Temp\~DF61B0.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Tay\LOCALS~1\Temp\~DF7E7A.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_50c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_aeAekR1HWAap55I scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_PPdmcVttjW9KFi4 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\sqlite_WWnqfYqo7nWHpIB scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Tay\Local Settings\Application Data\Mozilla\Firefox\Profiles\5ovgsh31.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tay\Local Settings\Application Data\Mozilla\Firefox\Profiles\5ovgsh31.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tay\Local Settings\Application Data\Mozilla\Firefox\Profiles\5ovgsh31.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tay\Local Settings\Application Data\Mozilla\Firefox\Profiles\5ovgsh31.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tay\Local Settings\Application Data\Mozilla\Firefox\Profiles\5ovgsh31.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Tay\Local Settings\Application Data\Mozilla\Firefox\Profiles\5ovgsh31.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02222009_135819

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 8:00 pm

Hello.
While there was signs of disabled malware, it was just adware, not a botnet.

The machine should be fine now.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt.
  • It will start cleaning now, and will want to reboot after, please allow it to do so.
  • It will make a log of what it has removed, but I don't need to see the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 8:08 pm

Okay I did that now I just have to wait for my current download to finish(2mins) until i reboot

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 8:15 pm

Okay. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 8:24 pm

Okay rebooted do you want me to scan anymore stuff or anything?

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 8:27 pm

We can do a quick scan with MBAM, but I suspect it should be clean.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 8:33 pm

Nothing found:

Malwarebytes' Anti-Malware 1.34
Database version: 1794
Windows 5.1.2600 Service Pack 3

22/02/2009 2:32:31 PM
mbam-log-2009-02-22 (14-32-31).txt

Scan type: Quick Scan
Objects scanned: 74829
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Also I already have spybot S&D adaware and all the programs that were suggested last time I had a virus so no need to paste those Goofy

Spybot
SpywareBlaster
Ad-Aware
SpywareGuard

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 8:35 pm

Ah.
Then uninstall MBAM now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 8:39 pm

I will but why? Isn't it usful for scanning lol?

Also Spybot S&D seems VERY old and it's the one I got from here and I updated it

Ok well I just updated spybot but spywareguard definition update is from:
1/22/04 and says I don't need an update

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 8:40 pm

Well yes, it's very effective, but with those 4 programs already installed, I didn't want to cause any lag for your machine.

If it were me, I'd get rid of Adaware/Spybot, there methods of deleting just aren't that effective anymore.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 22nd February 2009, 8:42 pm

Well malware bytes doesn't run a process it seems and I don't notice the programs atm but I'll uninstall it would eset nod with zonealarm/comodo firewall be more effective then all 4/5 of my current programs?(full/pro versions of eset and zonealarm ofc)

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Belahzur on 22nd February 2009, 8:47 pm

Maybe, but then I would also recommend MBAM just for on-demand because it's so effective.

Basically it's just finding the right combination of protection programs.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by shockzors on 23rd February 2009, 4:06 am

I download Bit defender 2009. I looked up "top ten anti-virus and it was 5/5 for every feature. Along with kaspersky

shockzors
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-02-22
OS OS : Windows XP Home SP3
Points Points : 28450
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Possible Botnet?

Post by Doctor Inferno on 6th July 2009, 3:44 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum