PDA

View Full Version : smitfraud-c and virtumonde keeps coming back



jodans
2007-08-13, 02:52
Spybot can't remove smitfraud-c because it stay in memory,how can i remove the infections?

Here's my hijackthis log file;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:41 AM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {545E77AD-1B80-4A01-8E7F-DDB37D97B2C8} - C:\WINDOWS\system32\byxyvvt.dll (file missing)
O2 - BHO: (no name) - {B90E0993-72C2-4A71-9BF9-68DC155C0045} - C:\WINDOWS\system32\vtsts.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [xem] C:\WINDOWS\ServicePackFiles\winlogon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176870773453
O17 - HKLM\System\CCS\Services\Tcpip\..\{238F730D-52D5-4E04-AF9C-DE1777A141AA}: NameServer = 203.127.225.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{822BEAEF-B39F-411C-90B1-C55FBFA84869}: NameServer = 203.127.225.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{238F730D-52D5-4E04-AF9C-DE1777A141AA}: NameServer = 203.127.225.10
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: byxyvvt - byxyvvt.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 4261 bytes

ken545
2007-08-13, 03:44
jodans,

Welcome to Safer Networking. You have quite a few issues going on that we need to deal with. You are infected with Vundo and a couple of worms. Lets do this first.

We need to disable the Tea Timer in Spybot Search and Destroy as to not interfere with the fix.

Open Spybot and go to Mode> Advanced Mode> Tools> Resident and take the checkmark out of Tea Timer



Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


C:\Program Files\Hijackthis\HijackThis.exe <--right click on the HJT Icon, (looks like a red stick of dynamite with a plunger) and rename it to Scanner.exe. <-- Don't forget the .exe and post a new log.

I need to see the Combofix log and a New HJT log with it renamed please.

jodans
2007-08-13, 04:17
I'm sorry for the delay here's the log file you asked

ComboFix 07-08-13.2 - "Belchz" 2007-08-13 9:21:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.334 [GMT 8:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Belchz\APPLIC~1\.rdr.ini
C:\DOCUME~1\Belchz\APPLIC~1\install.dat
C:\DOCUME~1\Belchz\APPLIC~1\Microsoft\20509.dat
C:\Documents and Settings\Belchz\spooldr.ini
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\brr
C:\Temp\dolphi.exe
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\ServicePackFiles\free.exe.bak
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\f06WtR
C:\WINDOWS\system32\f06WtR\f06WtR1083.exe
C:\WINDOWS\system32\mm.ini
C:\WINDOWS\system32\mqxactsp.exe
C:\WINDOWS\system32\Y0
C:\WINDOWS\system32\Y1
C:\WINDOWS\TTC-4444.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASC3550U
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-13 09:20 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 08:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-11 08:00 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-08-11 08:00 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-11 08:00 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-11 08:00 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-11 08:00 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-11 08:00 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-11 08:00 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-11 08:00 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-10 14:31 359,808 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-10 14:31 359,808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-10 14:29 359,040 --a------ C:\WINDOWS\system32\tcpip.sys
2007-08-10 13:17 <DIR> d-------- C:\New Folder
2007-08-10 11:14 1,445,888 --a------ C:\winsockxpfix.exe
2007-08-08 10:23 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1.BEL\NTUSER.DAT
2007-08-07 09:38 <DIR> d-------- C:\autoruns
2007-08-07 07:46 <DIR> d-------- C:\DOCUME~1\Belchz\APPLIC~1\Lavasoft
2007-08-06 16:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-06 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-06 09:01 <DIR> d-------- C:\WINDOWS\pss
2007-08-02 08:25 <DIR> d-------- C:\WINDOWS\Cache
2007-08-02 08:22 <DIR> d-------- C:\Program Files\Crystal Decisions
2007-08-02 08:22 <DIR> d-------- C:\Program Files\Common Files\Crystal Decisions
2007-08-02 08:18 90,112 --a------ C:\WINDOWS\system32\SDCCInfo.dll
2007-08-02 08:18 172,032 --a------ C:\WINDOWS\system32\rsUtil.dll
2007-08-02 08:18 <DIR> d-------- C:\Program Files\Stamps.com Internet Postage
2007-08-02 08:17 <DIR> d-------- C:\Program Files\Peachtree
2007-08-02 08:17 <DIR> d-------- C:\Program Files\Common Files\Peach
2007-08-01 09:21 44,544 --a------ C:\WINDOWS\system32\GIF89.DLL
2007-08-01 09:21 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-08-01 09:21 173,056 --a------ C:\WINDOWS\system32\VTEXT.DLL
2007-08-01 09:21 158,213 --a------ C:\WINDOWS\system32\MSCmCDE.dll
2007-08-01 09:17 640,512 --a------ C:\WINDOWS\system32\Oc30.dll
2007-08-01 09:17 566,784 --a------ C:\WINDOWS\system32\Vcfiwz32.dll
2007-08-01 09:17 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-08-01 09:17 133,904 --a------ C:\WINDOWS\system32\Mfcans32.dll
2007-08-01 09:17 1,115,136 --a------ C:\WINDOWS\system32\Vcfidl32.dll
2007-08-01 09:17 <DIR> d-------- C:\Program Files\Clarisys
2007-08-01 09:17 <DIR> d-------- C:\Program Files\Borland
2007-07-24 08:52 46,592 --a------ C:\WINDOWS\system32\Prtserv.dll
2007-07-23 16:29 <DIR> d-------- C:\cumulativerecor


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 09:01 --------- d--h----- C:\Program Files\WindowsUpdate
2007-08-11 08:58 --------- d-------- C:\Program Files\Online Services
2007-08-10 15:14 708367 --ahs---- C:\WINDOWS\system32\ststv.bak2
2007-08-10 14:36 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-08-07 07:36 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-02 08:18 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-01 09:01 --------- d-------- C:\Program Files\Ovulation Calendar
2007-07-23 16:29 --------- d-------- C:\Program Files\Microsoft Visual FoxPro 7
2007-07-03 10:55 6656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-07-03 10:55 47616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-07-03 10:55 453632 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-07-03 10:55 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-07-03 10:54 --------- d-------- C:\Program Files\GLOBEtrotter Software Inc
2007-07-03 10:51 --------- d-------- C:\Program Files\Alias
2007-07-03 10:49 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-03 10:42 --------- d-------- C:\Program Files\Xara
2007-07-03 10:42 --------- d-------- C:\Program Files\Turbo Photo
2007-07-03 10:38 165376 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-07-02 16:06 --------- d-------- C:\Program Files\Quest2Go
2007-06-25 14:15 --------- d-------- C:\Program Files\HTML Help Workshop
2007-05-17 11:14 44 --a------ C:\WINDOWS\system32\msssc.dll
2007-05-16 23:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 23:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 23:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 23:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 23:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 23:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B90E0993-72C2-4A71-9BF9-68DC155C0045}]
C:\WINDOWS\system32\vtsts.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 06:03]

C:\Documents and Settings\Belchz\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvvt]
byxyvvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsts]
C:\WINDOWS\system32\vtsts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe

R2 Sentinel;Sentinel;C:\WINDOWS\system32\Drivers\SENTINEL.SYS
S3 Sntnlusb;Rainbow USB SuperPro;C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
S4 DS1410D;DS1410D;C:\WINDOWS\system32\drivers\DS1410D.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0668e363-ff52-11db-addf-000a5e21e54a}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc69645d-0801-11dc-adeb-000a5e21e54a}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe


Contents of the 'Scheduled Tasks' folder
2007-08-09 09:06:57 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 09:24:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 9:25:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-13 09:25

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:17 AM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\Scanner.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B90E0993-72C2-4A71-9BF9-68DC155C0045} - C:\WINDOWS\system32\vtsts.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176870773453
O17 - HKLM\System\CCS\Services\Tcpip\..\{238F730D-52D5-4E04-AF9C-DE1777A141AA}: NameServer = 203.127.225.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{822BEAEF-B39F-411C-90B1-C55FBFA84869}: NameServer = 203.127.225.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{238F730D-52D5-4E04-AF9C-DE1777A141AA}: NameServer = 203.127.225.10
O20 - Winlogon Notify: byxyvvt - byxyvvt.dll (file missing)
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 3813 bytes

ken545
2007-08-13, 04:54
Hello Again,

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad



File::
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\byxyvvt.dll


Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B90E0993-72C2-4A71-9BF9-68DC155C0045}]
C:\WINDOWS\system32\vtsts.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsts]
C:\WINDOWS\system32\vtsts.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvvt]
byxyvvt.dll



Save this as ComboFix-Do.txt to your desktop.

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/Combo-Do.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

jodans
2007-08-13, 05:11
thanks,
when script load i got an error saying;

CFScriptName Error
Were you trying to run a CFScript?The name CFScript appears to be incorrectly spelt.

when i press ok the session will close,what will i do?

ken545
2007-08-13, 05:17
Did you type this is correctly?
Save this as ComboFix-Do.txt to your desktop. On the drop down list, Save As Type...Select All Files

See if that works

jodans
2007-08-13, 05:24
I got the same error,i'm sure i type/copy it correctly

jodans
2007-08-13, 05:34
what will i do next?please help

ken545
2007-08-13, 05:36
OK, never had this problem before, lets move on.

Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {B90E0993-72C2-4A71-9BF9-68DC155C0045} - C:\WINDOWS\system32\vtsts.dll (file missing)
O4 - Startup: AutorunsDisabled
O20 - Winlogon Notify: byxyvvt - byxyvvt.dll (file missing)
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll (file missing)


Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Let me see the Vundo Log and New HJT log please.

I have been at this all day and I am down for the night so take your time and I will be back online around 6:30 am USA Time

Ken :)

jodans
2007-08-13, 05:58
vundofix find nothing

there's the new hijackthis log file and the vundofix.txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11, on 2007-08-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\Scanner.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176870773453
O17 - HKLM\System\CCS\Services\Tcpip\..\{238F730D-52D5-4E04-AF9C-DE1777A141AA}: NameServer = 203.127.225.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{822BEAEF-B39F-411C-90B1-C55FBFA84869}: NameServer = 203.127.225.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{238F730D-52D5-4E04-AF9C-DE1777A141AA}: NameServer = 203.127.225.10
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 3400 bytes



VundoFix V6.5.7

Checking Java version...

Sun Java not detected
Scan started at 11:05:54 2007-08-13

Listing files found while scanning....

No infected files were found.

Am i now free from infections?

ken545
2007-08-13, 13:56
Your log looks good but to be on the Safeside I need you to run that Combofix application again, this time change the name of the script.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad



File::
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\byxyvvt.dll


Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B90E0993-72C2-4A71-9BF9-68DC155C0045}]
C:\WINDOWS\system32\vtsts.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsts]
C:\WINDOWS\system32\vtsts.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvvt]
byxyvvt.dll



Save this as CFScript.txt to your desktop.

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/Combo-Do.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


On your original log you had a couple of bad entries that where related to the SDBot trojan, although the entries are no longer on your log, lets run the tool to make sure its gone, if all comes up roses than you will be good to go.


Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



Let me see the Combo fix log, the SDFix log and a new HJT log.

Ken...who will be having coffee waiting for your reply :coffee:

jodans
2007-08-14, 02:37
Good day Ken,

Great to hear u again and thanks for all the complements,oh am really sorry for the delay reply coz i was home.I will perform the execution and hope now there's no problem encounter as last time running the combofix and post the result afterward.Again thanks alot.

jodans
2007-08-14, 03:24
Hi again Ken here's now the log files you asked for;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:21 AM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hijackthis\Scanner.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176870773453
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F74B040-3A25-4EF0-971B-B8B5DC1D9E4F}: NameServer = 203.127.225.10
O20 - Winlogon Notify: byxyvvt - C:\WINDOWS\
O20 - Winlogon Notify: vtsts - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 3440 bytes


ComboFix 07-08-13.2 - "Belchz" 2007-08-14 7:40:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.308 [GMT 8:00]
Command switches used :: C:\Documents and Settings\Belchz\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\byxyvvt.dll


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-14 07:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-13 11:05 <DIR> d-------- C:\VundoFix Backups
2007-08-13 09:20 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 08:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-11 08:00 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-08-11 08:00 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-11 08:00 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-11 08:00 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-11 08:00 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-11 08:00 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-11 08:00 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-11 08:00 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-10 14:31 359,808 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-08-10 14:31 359,808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-10 14:29 359,040 --a------ C:\WINDOWS\system32\tcpip.sys
2007-08-10 13:17 <DIR> d-------- C:\New Folder
2007-08-10 11:14 1,445,888 --a------ C:\winsockxpfix.exe
2007-08-08 10:23 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1.BEL\NTUSER.DAT
2007-08-07 09:38 <DIR> d-------- C:\autoruns
2007-08-07 07:46 <DIR> d-------- C:\DOCUME~1\Belchz\APPLIC~1\Lavasoft
2007-08-06 16:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-06 10:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-06 09:01 <DIR> d-------- C:\WINDOWS\pss
2007-08-02 08:25 <DIR> d-------- C:\WINDOWS\Cache
2007-08-02 08:22 <DIR> d-------- C:\Program Files\Crystal Decisions
2007-08-02 08:22 <DIR> d-------- C:\Program Files\Common Files\Crystal Decisions
2007-08-02 08:18 90,112 --a------ C:\WINDOWS\system32\SDCCInfo.dll
2007-08-02 08:18 172,032 --a------ C:\WINDOWS\system32\rsUtil.dll
2007-08-02 08:18 <DIR> d-------- C:\Program Files\Stamps.com Internet Postage
2007-08-02 08:17 <DIR> d-------- C:\Program Files\Peachtree
2007-08-02 08:17 <DIR> d-------- C:\Program Files\Common Files\Peach
2007-08-01 09:21 44,544 --a------ C:\WINDOWS\system32\GIF89.DLL
2007-08-01 09:21 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-08-01 09:21 173,056 --a------ C:\WINDOWS\system32\VTEXT.DLL
2007-08-01 09:21 158,213 --a------ C:\WINDOWS\system32\MSCmCDE.dll
2007-08-01 09:17 640,512 --a------ C:\WINDOWS\system32\Oc30.dll
2007-08-01 09:17 566,784 --a------ C:\WINDOWS\system32\Vcfiwz32.dll
2007-08-01 09:17 25,600 --a------ C:\WINDOWS\system32\borlndmm.dll
2007-08-01 09:17 133,904 --a------ C:\WINDOWS\system32\Mfcans32.dll
2007-08-01 09:17 1,115,136 --a------ C:\WINDOWS\system32\Vcfidl32.dll
2007-08-01 09:17 <DIR> d-------- C:\Program Files\Clarisys
2007-08-01 09:17 <DIR> d-------- C:\Program Files\Borland
2007-07-24 08:52 46,592 --a------ C:\WINDOWS\system32\Prtserv.dll
2007-07-23 16:29 <DIR> d-------- C:\cumulativerecor


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 09:01 --------- d--h----- C:\Program Files\WindowsUpdate
2007-08-11 08:58 --------- d-------- C:\Program Files\Online Services
2007-08-10 15:14 708367 --ahs---- C:\WINDOWS\system32\ststv.bak2
2007-08-10 14:36 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-08-07 07:36 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-02 08:18 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-01 09:01 --------- d-------- C:\Program Files\Ovulation Calendar
2007-07-23 16:29 --------- d-------- C:\Program Files\Microsoft Visual FoxPro 7
2007-07-03 10:55 6656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-07-03 10:55 47616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-07-03 10:55 453632 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-07-03 10:55 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-07-03 10:54 --------- d-------- C:\Program Files\GLOBEtrotter Software Inc
2007-07-03 10:51 --------- d-------- C:\Program Files\Alias
2007-07-03 10:49 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-03 10:42 --------- d-------- C:\Program Files\Xara
2007-07-03 10:42 --------- d-------- C:\Program Files\Turbo Photo
2007-07-03 10:38 165376 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-07-02 16:06 --------- d-------- C:\Program Files\Quest2Go
2007-06-25 14:15 --------- d-------- C:\Program Files\HTML Help Workshop
2007-05-17 11:14 44 --a------ C:\WINDOWS\system32\msssc.dll
2007-05-16 23:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 23:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 23:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 23:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 23:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 23:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 06:03]

C:\Documents and Settings\Belchz\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvvt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsts]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startdrv]
C:\WINDOWS\Temp\startdrv.exe

R2 Sentinel;Sentinel;C:\WINDOWS\system32\Drivers\SENTINEL.SYS
S3 Sntnlusb;Rainbow USB SuperPro;C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
S4 DS1410D;DS1410D;C:\WINDOWS\system32\drivers\DS1410D.SYS


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0668e363-ff52-11db-addf-000a5e21e54a}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc69645d-0801-11dc-adeb-000a5e21e54a}]
Auto\command- F:\infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe


Contents of the 'Scheduled Tasks' folder
2007-08-09 09:06:57 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-14 07:43:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-14 7:43:47
C:\ComboFix-quarantined-files.txt ... 2007-08-14 07:43
C:\ComboFix2.txt ... 2007-08-13 09:25

--- E O F ---


SDFix: Version 1.98

Run by Belchz on Tue 08/14/2007 at 08:01 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

C:\belchie\MIS lect\exams\midterm\~WRL0842.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

ken545
2007-08-14, 03:56
Were almost done. :)

Remove these entries with HJT.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O20 - Winlogon Notify: byxyvvt - C:\WINDOWS\
O20 - Winlogon Notify: vtsts - C:\WINDOWS\

O24 - Desktop Component AutorunsDisabled: (no name) - (no file)



Are you from the Philippines ? How is your computer running now?

Post one last HJT log and lets take a final look

Ken:FF:

jodans
2007-08-14, 04:50
Hello Ken sorry for the delay reply again,yup i'm from Philippines.As i was doing a full scan on avast it detects some troj like vundo-gen and some other but its deleted by the anti-virus.

Here's the log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:43 AM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hijackthis\Scanner.exe
C:\WINDOWS\explorer.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176870773453
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F74B040-3A25-4EF0-971B-B8B5DC1D9E4F}: NameServer = 203.127.225.10
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 3206 bytes

ken545
2007-08-14, 05:10
Log looks good :bigthumb:

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, don't leave home without them

Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Ad-Aware 2007 7.0.1.5 (http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button)
Check for Updates and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.



When I was younger and in the Navy, I spent some time in Manila and Subic Bay.

Its been a pleasure helping you.:band:

Safe Surfn
Ken

jodans
2007-08-14, 05:22
I got a bad connection at the moment that's why i can hardly connect to internet and thanks for helping me i really appreciated it too much Ken,Thanks for those tips i will read those when my connection turns back.

So you are a retired navy?Philippines is a good country isn't it?
Hope you are always here to offer some help later and only me but to all who needs it.Keep up the good work Ken.May God blessess you a thousand fold.

jodans
2007-08-14, 10:06
Good Day again Ken,can i ask again a favor from you?I have another pc running win98se it keeps crushing and the anti-virus always alerting me that there is an intrusion attempt but it's blocks.The internet connection is too slow.Can you check the hijackthis log file for me please?

Here's my log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:03 PM, on 8/14/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\CHIKKA\CHIKKA.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE
C:\PROGRAM FILES\MOTHERBOARD MONITOR 5\MBM5.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CHIKKA\BNRREPO2.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=202.78.69.213:8080
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKCU\..\Run: [ChikkaIM] C:\PROGRA~1\CHIKKA\Chikka.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE" /nosplash /minimized
O4 - HKUS\.DEFAULT\..\Run: [ChikkaIM] C:\PROGRA~1\CHIKKA\Chikka.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Skype] "C:\PROGRAM FILES\SKYPE\PHONE\SKYPE.EXE" /nosplash /minimized (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'Default user')
O4 - .DEFAULT Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: MBM 5.lnk = C:\Program Files\Motherboard Monitor 5\MBM5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = globe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = globe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 203.127.225.10,203.177.255.10

--
End of file - 6496 bytes

ken545
2007-08-14, 14:01
jodans

The log for Win98 looks fine.


anti-virus always alerting me that there is an intrusion attempt but it's blocks.When your computer is online you will get many intrusions, most of them are harmless like maybe one of your programs looking for an update. As far as being slow, you can check out these sites and forums. We only do malware removal at this one. Keep in mind also that Windows 98 is becoming a relic and most of the tips and programs that are written nowadays are not being written for 98.

It's Not Always Malware

Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)

Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)

Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)


Windows Tech Support Forums
Some of these have forums for Win98

PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Bleeping Computer (http://www.bleepingcomputer.com/forums/forum56.html) <--Good XP Forum
Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
Hardwareguys (http://hwg.mazin.net/hardwareguys/hwgboard/ikonboard.cgi) <-- Another good one

You can checkout my website as I have most of the tools and tutorial you may need for free download.

http://www.swapfilecomputerservice.com/

The Philippines was a beautiful country, but when I was there, it was July and the temp was around 118* To hot for me:laugh:

Ken

jodans
2007-08-15, 02:50
Good Day again Ken thanks from hearing you again,as you said my log file looks good so maybe its time for me to update my OS to xp or have a dual boot,i had a new hard drive since last month but i doubted to install coz it might infect when i do dual booting but now its clear for me that it's safe.Thanks for those info youv'ed posted and i'm sure i have to download some of your stuff on your website.Again Ken thank you thank you thank you very much.Have a nice day ahead of you.

Now manila suffers from flood due to the typhoon that hit in luzon area we just hope and pray it will not worsten.

ken545
2007-08-15, 03:43
Now manila suffers from flood due to the typhoon that hit in luzon area we just hope and pray it will not worsten. My thoughts are with you and your family.

Stay Well,

Ken

tashi
2007-08-28, 17:39
Glad we could help, as the problem appears to be resolved this topic has been archived. :)

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.