Thread: proscks trojan
View Single Post
Old 09-07-2008, 08:12 PM   #10 (permalink)
davidmcc
Registered User
 
Join Date: Aug 2008
Posts: 7
OS: Windows XP


Re: proscks trojan
Computer seemed to run normal.....

SDFix Scan:

SDFix: Version 1.222
Run by David McCleskey on Sun 09/07/2008 at 19:41

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\David McCleskey\Desktop\SDFix

Checking Services :

Name :
nobicyt

Path :
C:\WINDOWS\system32\Nobicyt.exe

nobicyt - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found




Folder C:\Documents and Settings\David McCleskey\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 19:54:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\EID Pinger v1.01\\DFBHDPinger.exe"="C:\\Program Files\\EID Pinger v1.01\\DFBHDPinger.exe:*:Enabled:DFBHDPinger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sun 3 Apr 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 31 Mar 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Mon 31 Mar 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Wed 31 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 12 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 20 May 2007 0 ...H. --- "C:\Documents and Settings\David McCleskey\Application Data\Microsoft\Word\~WRL0573.tmp"
Sun 20 May 2007 0 ...H. --- "C:\Documents and Settings\David McCleskey\Application Data\Microsoft\Word\~WRL0819.tmp"
Sun 24 Feb 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 24 Feb 2008 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 24 Feb 2008 8 A..H. --- "C:\Documents and Settings\David McCleskey\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 24 Feb 2008 8 A..H. --- "C:\Documents and Settings\David McCleskey\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"

Finished!



Panda Active Scan


;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-09-07 20:56:34
PROTECTIONS: 2
MALWARE: 5
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee Internet Security Suite 2007 8.1 No Yes
McAfee VirusScan Plus 12.1 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\David McCleskey\Cookies\david_mccleskey@atdmt[2].txt
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{CB49CA95-3B4A-40B2-9FEA-7098EA2B225B}\RP1\A0000048.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\David McCleskey\Desktop\SDFix\apps\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\David McCleskey\Desktop\SDFix.exe[C:\Documents and Settings\David McCleskey\Desktop\SDFix.exe][SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\David McCleskey\Desktop\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\David McCleskey\Cookies\david_mccleskey@tribalfusion[2].txt
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\David McCleskey\Desktop\SmitfraudFix.exe
03541233 HackTool/Rebooter HackTools No 0 Yes No C:\Documents and Settings\David McCleskey\Desktop\SmitfraudFix\Reboot.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location l
;===================================================================================================================================================================================
No C:\QooBox\Quarantine\C\WINDOWS\system32\svchost.exe.vir l
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description l
;===================================================================================================================================================================================
;===================================================================================================================================================================================


Thanks once again for your assistance, ma'am
davidmcc

(paullotion revealed your gender in a McAfee post to me today)
davidmcc is offline