Solved

Possible virus/malware can someone take a look for any anomalies

Posted on 2011-03-04
22
710 Views
Last Modified: 2013-12-06
Possible bug


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:42:31 PM, on 3/2/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Qwest
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30360BB8-9D09-4BCF-874D-5C2E1D523C46}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{F01703B0-3FD7-4949-9AEE-D96C6C1C07AA}: NameServer = 156.154.70.22,156.154.71.22
O20 - AppInit_DLLs:  C:\WINDOWS\system32\guard32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: SupportSoft RemoteAssist - Unknown owner - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe (file missing)

--
End of file - 6201 bytes
0
Comment
Question by:derekfurman
  • 8
  • 4
  • 3
  • +3
22 Comments
 

Author Comment

by:derekfurman
Comment Utility
I did this already the Hijackthis log was taken before I ran the cleanup you suggest. I am looking for and bugs/virus/malware beyond what is is made obvious by applications. I see the fill missing and such (obvious)
0
 

Author Comment

by:derekfurman
Comment Utility
ok neither of you see any issues? I think thats good enough thanks
0
 

Expert Comment

by:Bitsbac
Comment Utility
I would recommend downloading ComboFix.

It was the only tool that found and deleted a Rootkit.

After using Malwarebytes, CCleaner, I almost gave up and was about to do a complete reinstall, ran ComboFix, and has been running like new ever since.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
Comment Utility
Few things:
You could safely remove these three:
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: SupportSoft RemoteAssist - Unknown owner - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe (file missing)

Also check for these two, if you are aware what are these fo, it seems like DNS servers for your system:
O17 - HKLM\System\CCS\Services\Tcpip\..\{30360BB8-9D09-4BCF-874D-5C2E1D523C46}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{F01703B0-3FD7-4949-9AEE-D96C6C1C07AA}: NameServer = 156.154.70.22,156.154.71.22

Sudeep
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
derekfurman,
In the future please evaluate the advice you are given an never accept comments just because "I trust the opinion of 2 people".

Neither of those Expert comments is correct.
You do NOT "boot to safe mode with networking and download Malware Bytes" and anyone who understands anti-malware works knows that.

There have been numerous discussion here at EE and at the Malwarebytes forum about this on-going "Safe Mode" recommendation and future readers of this question should know what the proper answer is.

See this: http://forums.malwarebytes.org/index.php?showtopic=17334&pid=88995&start=&st=#entry88995

As far as the other part of your question, it is simply the inability of HijackThis to process the information. What was once a great program for malware fighters has become less and less useful since being acquired by Trend.

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: SupportSoft RemoteAssist - Unknown owner - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe (file missing)

0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Follow up...
If you are playing "Battlefield" or "America's Army", please ignore the advice to remove those entries.
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
Comment Utility
derekfurman,
Please review my comments in: http:#a35039269 again and ignore any comments about "023" entries in an HJT log.

It is just a lacking in HJT that reports the "File Missing" comment.

For some good basic information about malware prevention and trouble-shooting, please read my Articles here:

http://www.experts-exchange.com/A_1958.html (MALWARE - "An Ounce of Prevention...")
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
0
 

Author Comment

by:derekfurman
Comment Utility
I was on the edge about this site thanks for saving me the subscription fee
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Closing comment:

“Never said they were correct. of course I do not put  a system in safe mode then download apps and run them. Just like most of the advice I get here I take with a grain of salt. I don't really care what anyone else has to say after that because it does not answer the question I asked”

Actually, you did say they were correct. You “Accepted” their comments, which stored the inaccurate information in our permanently searchable database. By accepting their comments, you were de facto saying they were correct.

Your Closing Comment makes it clear that you consider them correct:
“I trust the opinion of 2 people I'm going with that”
******************************

"Possible virus/malware can someone take a look for any anomalies"
“I did this already the HijackThis log was taken before I ran the cleanup you suggest. I am looking for and bugs/virus/malware beyond what is is made obvious by applications. I see the fill missing and such (obvious)”

Since you already ran Malwarebytes, your HijackThis log done  BEFORE you ran it is worthless for evaluating – even though I did correct even more bad information about the “023” entries. Further I gave you a warning that modifying those entries might interfere with installed applications.

For future reference, HijackThis will not give much more than some basic system and application information for real Experts to review. A program that used to be one to the best in fighting malware has lost most of its effectiveness due to neglecting updates by the new owners.
*********************************

Whether or not you decide to stay with EE is – of course – entirely your decision, but you might keep in mind for any future questions that YOUR participation is the single most critical element of success around here.

Collaboration and mutual respect are what make our site so effective.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:mfulksCBT
Comment Utility
If you read the link from the Malware Bytes forum, it says there is nothing wrong with running Malware Bytes in Safe Mode as long as it's followed by running in Normal mode. How does someone get Malware Bytes installed when they already have malware that prevents any anti-virus/anti-malware website from loading. Last week I ran Malware Bytes on an infected computer while in Normal mode. It found nothing. I booted to Safe Mode downloaded and installed Malware Bytes again and it successfully found and removed two infections.
0
 
LVL 2

Expert Comment

by:mfulksCBT
Comment Utility
Monitoring?
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
mfulksCBT –
Welcome to EE – I see that you are a brand new member.

You pose a couple of good questions.

I am a long time member of the MBAM forum and this question has been discussed frequently. The key part of your comment above ends with these words “…as long as it's followed by running in Normal mode.”

That caveat was not included in the comments that were deleted from this question – both referred only to something about booting to Safe Mode, then download and scan.

If you are interested in using MBAM, please note that last sentence in the response from “Swandog46”:
“It is not unsafe to scan in Safe Mode, just less effective.”

To my knowledge, the only variant of malware that calls for “Safe Mode with Networking” is something called “Trojan.Horse.Win32.PAV.64.a” (aka Windows Optimal Tool). Of course, in this business things can change at the drop of a hat – so that may be different by the time I stop typing.

The second part of your comment is something that I address several times a week here.

The actual file name of the executable for both Malwarebytes and ComboFix is recognized by several flavors of malware and it will react as soon as the file(s) hit your desktop. In some cases it will stop the actual installation and in some cases it will affect the running of either program.

The solution is to either use the “Save As” function to assign a random name BEFORE downloading, or save it to a clean computer, rename it, and copy it to USB stick or CD. Take that clean (re-named) version over to the infected computer, copy it/them to the desktop and do your installation.

If you are interested in an on-going discussion of CF and MBAM, please review this question (and join in): http://www.experts-exchange.com/Q_24860646.html
0
 
LVL 2

Expert Comment

by:mfulksCBT
Comment Utility
I'm not actually new. I switched jobs. My previous employer paid for EE, so I never bothered answering any questions.

The Save As is a good tip, never tried that. At work I'd usually just remove the hard drive and scan it from another computer.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
"At work I'd usually just remove the hard drive and scan it from another computer."

A lot of us used to do that in the old days, but that is only good for "known" file names that are malware-related.

With the current stuff there are so many random names generated that you can't really rely on that method (but certainly one of the "Kitchen Sink" techniques I'll try when nothing else seems to work).

Almost all current malware needs to be identified and cleaned during a "Normal Mode" boot, simply because that is when the malware processes are running.

Safe Mode and external/slaving of the HDD can't repair the infection because the malware isn't actively running.
0
 

Assisted Solution

by:derekfurman
derekfurman earned 0 total points
Comment Utility
Cookie monster says "DIS DONE WERE COOKIE!"
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Which is exactly why I made the recommendation in http:#a35044834

http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
"In all cases, I start by cleaning out all of the "Junk/Temp" files (many forms of malware sit in these folders). My program of choice for this is CCleaner (www.ccleaner.com), but there are a wide variety of alternatives."

Cleaning out your Junk/Temp files (where Cookies reside) is always a basic step in Malware Troubleshooting - since that is where so many malware .exe files are stored.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
SouthMod,
Thank you.

All of the information needed was in: http:#a35044834

younghv
0
 
LVL 4

Expert Comment

by:BGTSLLC
Comment Utility
Install Hitman Pro 3.5 in Safe Mode w/ Networking.  That will resolve it then run MBAM afterwards.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now