Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:37 PM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one.
O17 - HKLM\System\CCS\Services\Tcpip..{A851EBA5-841F-4F5A-8A16-22BE94B92477}: NameServer = 65.32.5.74,65.32.5.75
Do you know the IP or Domain ‘65.32.5.74,65.32.5.75’? If not, fix this entry.
O17 - HKLM\System\CCS\Services\Tcpip..{BE2DDBAC-8557-414D-AE79-B0181EAB8BC3}: NameServer = 65.32.5.111,65.32.5.112
Do you know the IP or Domain ‘65.32.5.111,65.32.5.112’? If not, fix this entry.
O17 - HKLM\System\CCS\Services\Tcpip..{F2BBAD18-3B33-4A47-8CCE-17436B215562}: NameServer = 65.32.5.74,65.32.5.75
Do you know the IP or Domain ‘65.32.5.74,65.32.5.75’? If not, fix this entry.
It looks like you have a bunch of toolbars installed too. If you don’t use them, you should uninstall them, they usually just cause your internet browser to slow down.
It also looks like there is a few entries about symantec on your system, you should run the symantec uninstall utility for whatever product you had installed previously. I’ll give you a link if you need it. Otherwise, just google search for “symantec uninstall utility” and download / run it.
Not weird, as the MD5 number is identical so the actual file content is the same even though the file name might be different.
It is also not advisable to simply accept old data as these scans were done over 16 months ago and a week is a long time in virus terms, the likelihood that more scanners would now alert on these files. So it is always advisable not to just accept the old scan but to have them scanned again.
When we say to post a link to the results, what we mean it to copy the URL from the browsers address bar, that way we can have a look at the full results.
This IP 65.32.5.74 is for Road Runner HoldCo LLC
This IP 65.32.5.111 is also for Road Runner HoldCo LLC
So is this your ISP ?
Your version of acrobat pdf reader is also out of date and vulnerable to exploit, I suggest you get the latest version.
Is avast alerting when you try to upload from the suspect folder ?
If so even if you ignore the alert (take no action) avast won’t let you work with that file and that includes uploading to VT.
If it does alert then you haven’t got the exclusion right in the standard shield, you should be typing “c:\suspect*” everything inside the quotes but not the quotes. That assumes you created the suspect folder in the root of the c drive/partition.
I would say you don’t have to upload the C:\Suspect\A0138801.exe file as this looks like it is a copy of the other file that has been saved by system restore in the system volume information folder as a restore point.
That’s me for the night or should I say morning, it is almost 2:30 am here.
You never did answer this question from my first reply way back when and it forms the basis of any action required.
What action did you choose on detection, Move to Chest is safest option ?
If when avast detects it and you send it to the chest (we investigate, which we have done) and normally after a few weeks we scan it again within the chest and if still detected we delete it.
However, as a result of your investigation we have conclusive evidence (we have) that it is a good detection then we can delete it from the chest (and suspect folder) rather than wait a few weeks before doing so.
OK, if you haven’t sent these to the chest, you should have done so, you should be getting into that habit now, and investigate. You don’t say what the malware name was, so it leaves us guessing win32:trojan-gen ?
If as scythe944 suggested you could disable system restore, personally I’m against that being done too early as a) avast should be able to deal with malware in the system volume information, b) by disabling system restore you lose ALL restore points infected or otherwise, so it leaves no possibility of going back. I’m not a fan of system restore but it is better than nothing.
We also don’t know if you have run SAS and MBAM from safe mode as you haven’t said and there are no logs posted (these scans produce reports).
There have been many questions asked and some suggestions offered, but what we need most is answers from you as they help us to help you. We thrive on information and wither without it.
I moved ALL files to chest, I said It shows Trojan.Gen(virus total reports most Trojan.Agent/dwnldr.Link to report in prior post) Ihave Not run MBAM or SAS. Should I? Will it be able to remove it without damaging my system restore because its in there.
Yes you should run them as if there an undetected or hidden file that is causing the trojans if they keep generating then that process has to be found.
We wouldn’t suggest something if it were going to damage anything or we would comment on the possible negative aspect/s. Like my comment about not disabling system restore as you would loose the good restore points.
As I said in my previous post “a) avast should be able to deal with malware in the system volume information,” so ne comment or reservation.