 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
PlaidKillaDude
Newbie
Joined: 15 Jun 2012
Last Visit: 05 Aug 2012
Posts: 1
|
 Posted: Fri Jun 15, 2012 6:34 pm Post subject: DSS removal tool not valid for WinXPpro64 |
 |
|
Hi,
I hope I posted this in the right place. I haven't seen anyother comments in the Tutorial's or FAQs and a search using ["XP" AND "64"] search term didn't produce any hits either.
There are several questions in here:
[1] A DSS workaround for WinXPp64 machine
[2] Establishing a baseline for a WinXPp64 machine
[3] Log Files
I am asking for help with a DSS workaround and an analysis of the log file posted afer "[3] Log Files"
Many thanks
PlaidKillaDude
[1] WORKAROUND
Do you have a Workaround for DSS not running on WinXPp64 machine ? Does DSS need to run on the machine that produced the HJT log file?
I am proposing doing the following workaround - comments ?
(a) obtain the HJT log on the WinXPp64 machine
(b) shove the HJT log on a memory stick
(c) goto to my other WinXPp32 machine
(d) run DSS on the log file
(e) copy the DSS results back to the memory stick
(f) return to the WinXPp64 machine and post the resulting files to the forum
[2] BASELINE
I want to establish a baseline for my PC but don't appearto be able to do this without using this tool.
I have just cleaned up my PC as best I can from startups and unnecessary sessions that hog CPU cycles. Also, as far as I know my PC is clean of malware.
Having a baseline to work from would mean that I could use Windows command line and FC.EXE to compare HiJackThis log files and hopefully resolveproblems faster.
Fron the Tutorial notes I know which processes are (probably) legitimate Windows processes but have listed them all here.
--------------------------------------------------------
[3] LOG FILES run 16/06/2012 at 0915NZST
--------------------------------------------------------
Additional Info: multiboot MSDOS622,Ubuntu 10.04 & WinXpp64
Hardware: 7 TB HDD, 8 GB, Xeon Dual 3.16 GHz CPU's
AntiMalware S/W: Spybot S & D, AVG 2012 Free, MalwareBytes
Note that Win XP professional 64-bit machines do not run the Microsoft Service Pack 3.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:15:28 a.m., on 16/06/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
E:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
E:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
E:\Program Files (x86)\Java\jre6\bin\jqs.exe
E:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
E:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
E:\Program Files (x86)\Adobe\Acrobat 6.0\Distillr\acrotray.exe
E:\WINDOWS\SysWOW64\ctfmon.exe
E:\Program Files (x86)\AVG\AVG2012\avgtray.exe
E:\Program Files (x86)\QuickTime\QuickTimePlayer.exe
E:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
N:\D_TEMP\0Archive\WXPp64 - ICHY02\Security\SysInternals_becomes_Winternals\TCPview\Tcpview.exe
E:\Program Files (x86)\AVG\AVG2012\avgui.exe
E:\Program Files (x86)\Trend Micro\HijackThis\HiJackThis.exe
E:\WINDOWS\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://duckduckgo.com/settings.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;192.168.*.*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files (x86)\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - E:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - E:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files (x86)\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - E:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files (x86)\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files (x86)\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ROC_roc_dec12] "E:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
O4 - HKLM\..\Run: [AVG_TRAY] "E:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] E:\PROGRA~2\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "E:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] "E:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "E:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-576387489-407876038-1020195920-1003\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe (User 'Grant_ord')
O4 - HKUS\S-1-5-21-576387489-407876038-1020195920-500\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-576387489-407876038-1020195920-500\..\RunOnce: [NeroHomeFirstStart] E:\Program Files (x86)\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - S-1-5-21-576387489-407876038-1020195920-1003 Startup: OpenOffice.org 3.1.lnk = E:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe (User 'Grant_ord')
O4 - S-1-5-21-576387489-407876038-1020195920-1003 Startup: OpenOffice.org 3.3.lnk = E:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe (User 'Grant_ord')
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files (x86)\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - E:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://onecare.live.com
O15 - Trusted Zone: http://data-cdn.mbamupdates.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://support.microsoft.com/dcode/ActiveX/MSDcode.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271680985242
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272669191718
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} (Java Plug-in 1.6.0_21) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90AC91A0-6040-43B3-B245-650D60D33658}: NameServer = 202.90.44.11,202.90.44.12
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - E:\Program Files (x86)\LizardTech\Express View\expressview.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - E:\Program Files (x86)\LizardTech\Express View\expressview.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - E:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\SysWow64\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\SysWow64\browseui.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - E:\WINDOWS\ATKKBService.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - E:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: DeviceMonitorService - Nero AG - E:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - E:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - E:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - E:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - E:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - E:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files (x86)\Java\jre6\bin\jqs.exe
O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - E:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - E:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - E:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - E:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - E:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - E:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - E:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - E:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - E:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - E:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - E:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - E:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 12528 bytes |
|
| Back to top |
|
 |
Cypher
Moderator
Joined: 05 Jul 2009
Last Visit: 17 May 2013
Posts: 4041
Location: Land Of The Leprechauns
|
| Posted: Mon Jun 25, 2012 2:48 am Post subject: |
|
|
We apologise that your topic has gone unanswered.
As it has been seven days or more since you started your topic, fresh logs will now have to be posted, as malware can change during this period.
If you still require help, Please read the (Things to know before you post)
Then start a fresh topic & await assistance.
_________________
Admin/Teacher at Malware Removal University
Member of...
 |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
