Tech Support Forum - View Single Post

Coffeeguy · 04-27-2007, 05:15 PM

Panda log , and dss log

Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Brian\Cookies\brian@atwola[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\peq0dlnh.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\93ke2y15.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\93ke2y15.default\cookies.txt[.advertising.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\93ke2y15.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\znpy8gbj.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\znpy8gbj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\znpy8gbj.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\TEMP\Cookies\brian@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\TEMP\Cookies\brian@doubleclick[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\TEMP\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe]
Spyware:Spyware/New.net Not disinfected C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_38.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

Deckard's System Scanner v20070423.42
Run by Brian on 2007-04-27 at 18:10:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Brian.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:11:05 PM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\SIERRA\steam.exe
C:\Documents and Settings\TEMP\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Brian.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Steam] "c:\sierra\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

-- Files created between 2007-03-27 and 2007-04-27 -----------------------------

2007-04-27 15:48:56 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-04-27 15:41:21 0 d-------- C:\WINDOWS\LastGood
2007-04-26 18:33:43 0 d-------- C:\Program Files\Windows Media Connect 2
2007-04-26 18:32:08 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-26 18:32:08 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-04-26 16:19:52 49152 --a------ C:\WINDOWS\nircmd.exe <Not Verified; NirSoft; NirCmd; 1.85; 1.85>
2007-04-23 20:44:53 0 dr------- C:\Documents and Settings\LocalService\Favorites

-- Find3M Report ---------------------------------------------------------------

2007-04-27 16:26:13 0 d-------- C:\Program Files\Symantec AntiVirus
2007-04-27 16:08:27 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-24 19:31:20 0 d-------- C:\Program Files\Google
2007-04-24 19:29:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-24 19:26:17 0 --a------ C:\Documents and Settings\TEMP\Application Data\.googlewebacchosts

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Amazing3DAquariumWallpaper"=""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
"MsgCenterExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\RealOneMessageCenter.exe\" -osboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"="\"c:\\sierra\\steam.exe\" -silent"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-04-27 at 18:11:45 ---------

04-27-2007, 05:15 PM	#11 (permalink)
Coffeeguy Registered User Join Date: Apr 2007 Posts: 11 OS: XP	Re: Dnserror Panda log , and dss log Incident Status Location Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Brian\Cookies\brian@atwola[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Maggie\Application Data\Mozilla\Firefox\Profiles\peq0dlnh.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\93ke2y15.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\93ke2y15.default\cookies.txt[.advertising.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\93ke2y15.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\znpy8gbj.default\cookies.txt[.revenue.net/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\znpy8gbj.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\TEMP\Application Data\Mozilla\Firefox\Profiles\znpy8gbj.default\cookies.txt[searchportal.information.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\TEMP\Cookies\brian@atdmt[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\TEMP\Cookies\brian@doubleclick[1].txt Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\TEMP\Desktop\ComboFix.exe[ComboFixT\nircmd.cfexe] Spyware:Spyware/New.net Not disinfected C:\QooBox\Quarantine\C\WINDOWS\NDNuninstall6_38.exe.vir Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe Deckard's System Scanner v20070423.42 Run by Brian on 2007-04-27 at 18:10:46 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Brian.exe) ----------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 6:11:05 PM, on 4/27/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\WinZip\WZQKPICK.EXE C:\SIERRA\steam.exe C:\Documents and Settings\TEMP\Desktop\dss.exe C:\PROGRA~1\HIJACK~1\Brian.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [Steam] "c:\sierra\steam.exe" -silent O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- Files created between 2007-03-27 and 2007-04-27 ----------------------------- 2007-04-27 15:48:56 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-04-27 15:41:21 0 d-------- C:\WINDOWS\LastGood 2007-04-26 18:33:43 0 d-------- C:\Program Files\Windows Media Connect 2 2007-04-26 18:32:08 0 d-------- C:\WINDOWS\system32\LogFiles 2007-04-26 18:32:08 0 d-------- C:\WINDOWS\system32\drivers\UMDF 2007-04-26 16:19:52 49152 --a------ C:\WINDOWS\nircmd.exe <Not Verified; NirSoft; NirCmd; 1.85; 1.85> 2007-04-23 20:44:53 0 dr------- C:\Documents and Settings\LocalService\Favorites -- Find3M Report --------------------------------------------------------------- 2007-04-27 16:26:13 0 d-------- C:\Program Files\Symantec AntiVirus 2007-04-27 16:08:27 0 d-------- C:\Program Files\Common Files\Symantec Shared 2007-04-24 19:31:20 0 d-------- C:\Program Files\Google 2007-04-24 19:29:59 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-04-24 19:26:17 0 --a------ C:\Documents and Settings\TEMP\Application Data\.googlewebacchosts -- Registry Dump --------------------------------------------------------------- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\"" "vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe" "Amazing3DAquariumWallpaper"="" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe" "MsgCenterExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\RealOneMessageCenter.exe\" -osboot" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Steam"="\"c:\\sierra\\steam.exe\" -silent" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "AIM"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 -- End of Deckard's System Scanner: finished at 2007-04-27 at 18:11:45 ---------