PDA

View Full Version : please check this log out



mrbreezeet1
2008-04-12, 15:34
I'm pretty sure I am OK now, And again pretty sure I have the latest Java from sun.
Some Background

I was having this issue, where music will play,and there doing some
kind of interview about a tattoo shop, then something I think about a ford
truck, and I don't know what all else.
There was no web page open other than my home page yahoo mail.
I ran AVG and it said it found 4 and removed 4 threats, also ran ad
aware,and it removed some cookies.
I also saw this " Viewpoint something or other in ask manager,(processes)
and removed it in add remove programs.

I wrote the XP group, One of the MPV's thought it sounded like "a Zlob infection with Vundo and SDBot along for the ride"

AVG had reported a ZlobWM, and also a AdloadEZ, and said it fixed them.
But I still had the issue.
Also my tried to bring up task manager, it said it was
disabled,



I ran The Vundo fix, and it found nothing,
Ran spy bot search and destroy, and it DID find the Zlob, and removed it.
So it "seems" OK now, but one of the MPV's said to post the HJT log file here.
I am getting a reference to "windows live one care," but I am not using Live one care anymore, so I tried to remove it with HJT, but it keeps coming back.
I am hoping it is not some other file or Trojan trying to "fool me" using the Windows Live One Care name.
Thank You, here is the Log file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:52 AM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\jszituxm\jihidyha.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\A Diodati\My Documents\Downloads\Programs\HiJackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll

--
End of file - 1776 bytes

mrbreezeet1
2008-04-12, 16:30
OK, so AVG just ran this AM, and allerted me to finding Bootrunonce.dll.
I knew from web searches this didn't look good, when I saw it the other day in HJT.
But everytime I removed it with HJT, and re-scaned, it was back.
Went to safe mode and ran/removed Bootrunonce.dll from HJT, and it did not return on the next HJT scan.
Looks like it's back now. AVG is still running, hope it will remove it.
Please advise
Thanks, Tony

steamwiz
2008-04-13, 23:38
HI

If that's all hijackthis is showing, then I suspect you have removed far too much, including many essential entries ...

the malware entries tell me what malware you have ... you've removed all the clues ... all the log tells me is you HAVE updated java.

removing entries from hijackthis does not remove the malware, only the registry entry which is running it ... looking at your log I'm not sure the situation can be retrieved ...

you will need to replace everything you have removed with hijackthis, from backups & maybe do a system restore to before you started to remove things ...

You can then start by following the directions here :-

http://forums.spybot.info/showthread.php?t=288

Run the scans & post the requested logs ...

steam

mrbreezeet1
2008-04-16, 03:54
I moved a bunch of stuff to ignore list, things I knew were OK,
I'll check the link out.
Every thing does seem to be OK now though.
What is that "bootrunonce.dll thing?
Thanks, Tony

steamwiz
2008-04-16, 23:56
I can tell you that you have this malware/trojan running... which looks like vundo ...

C:\Documents and Settings\All Users\Application Data\jszituxm\jihidyha.exe

I found very little about the BootRunOnce.dll but found a reference to it running from the SSODL reg key ... it could be vundo related or maybe smitfraud ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam

mrbreezeet1
2008-04-18, 03:13
I can tell you that you have this malware/trojan running... which looks like vundo ...

C:\Documents and Settings\All Users\Application Data\jszituxm\jihidyha.exe

I found very little about the BootRunOnce.dll but found a reference to it running from the SSODL reg key ... it could be vundo related or maybe smitfraud ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam

ComboFix 08-04-16.5 - A Diodati 2008-04-17 20:03:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.214 [GMT -7:00]
Running from: C:\Documents and Settings\A Diodati\My Documents\Downloads\Programs\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.coġj
.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-17 10:38 . 2008-04-17 10:38 98,304 --a------ C:\WINDOWS\system32\gdcvklsh.exe
2008-04-15 21:09 . 2008-04-16 07:01 <DIR> d-------- C:\Temp\look mature NL
2008-04-12 02:49 . 2008-04-12 02:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-12 02:49 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-10 07:28 . 2008-04-10 07:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-10 07:28 . 2008-04-10 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-10 06:30 . 2008-04-10 06:30 <DIR> d-------- C:\VundoFix Backups
2008-04-09 11:53 . 2008-04-09 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 11:53 . 2008-04-09 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-08 22:56 . 2008-04-08 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\jszituxm
2008-04-08 22:41 . 2008-04-08 22:45 7,168 --a------ C:\WINDOWS\system32\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-03-30 11:42 . 2008-03-30 11:43 <DIR> d-------- C:\Temp\Azlea_Previews

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 15:00 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\AVG7
2008-04-17 14:00 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\Zoom Player
2008-04-17 02:45 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\DMCache
2008-04-12 09:49 --------- d-----w C:\Program Files\Java
2008-04-10 00:59 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-10 00:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-09 18:53 --------- d-----w C:\Program Files\Lavasoft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-02 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-02 22:25 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\acccore
2008-03-02 22:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 16:54 --------- d-----w C:\Program Files\Ultra Video Splitter
2008-02-26 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-26 01:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-26 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 13:12 517632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-25 18:27 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"960nTuCiA5"= C:\Documents and Settings\All Users\Application Data\jszituxm\jihidyha.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 05:29:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 20:06:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-17 20:07:27
ComboFix-quarantined-files.txt 2008-04-18 03:07:22

Pre-Run: 404,262,912 bytes free
Post-Run: 767,385,600 bytes free
.
2008-04-09 02:56:50 --- E O F ---

steamwiz
2008-04-18, 21:58
HI

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)


File::
C:\WINDOWS\system32\gdcvklsh.exe
C:\WINDOWS\system32\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Documents and Settings\All Users\Application Data\jszituxm\jihidyha.exe

Folder::
C:\Documents and Settings\All Users\Application Data\jszituxm
C:\VundoFix Backups

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"960nTuCiA5"=-

DirLook::
C:\Temp\Azlea_Previews
C:\Temp\look mature NL



Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Then please run this :-

Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

steam

mrbreezeet1
2008-04-20, 03:32
Malwarebytes' Anti-Malware 1.11
Database version: 660

Scan type: Quick Scan
Objects scanned: 29696
Time elapsed: 7 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\A Diodati\Application Data\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:50 PM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Documents and Settings\A Diodati\My Documents\Downloads\Programs\HiJackThis.exe

O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll

--
End of file - 1206 bytes


ComboFix 08-04-16.5 - A Diodati 2008-04-19 20:02:41.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254 [GMT -7:00]
Running from: C:\Documents and Settings\A Diodati\Start Menu\Programs\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-12 02:49 . 2008-04-12 02:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-12 02:49 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-10 07:28 . 2008-04-10 07:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-10 07:28 . 2008-04-10 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 11:53 . 2008-04-09 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 11:53 . 2008-04-09 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 15:00 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\AVG7
2008-04-19 10:57 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\DMCache
2008-04-17 14:00 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\Zoom Player
2008-04-12 09:49 --------- d-----w C:\Program Files\Java
2008-04-10 00:59 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-10 00:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-09 18:53 --------- d-----w C:\Program Files\Lavasoft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-02 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-02 22:25 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\acccore
2008-03-02 22:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 16:54 --------- d-----w C:\Program Files\Ultra Video Splitter
2008-02-26 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-26 01:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-26 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-17_20.07.09.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 17:37:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 02:54:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-17 13:31:29 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
+ 2008-04-19 15:46:23 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 13:12 517632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-25 18:27 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 05:29:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 20:03:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 20:04:30
ComboFix-quarantined-files.txt 2008-04-20 03:04:26
ComboFix2.txt 2008-04-20 02:59:35
ComboFix3.txt 2008-04-19 01:51:51
ComboFix4.txt 2008-04-19 01:44:17
ComboFix5.txt 2008-04-19 01:38:45

Pre-Run: 1,869,631,488 bytes free
Post-Run: 1,860,624,384 bytes free
.
2008-04-09 02:56:50 --- E O F ---

mrbreezeet1
2008-04-20, 14:34
When I 1st. ran Combi fix , Draging the file you gave me into it,It did say something about deleteing
***C:\Documents and Settings\All Users\Application Data\jszituxm***
but after the reboot, that log file was gone.
The logfile (combi fix)above was after the reboot.
Thank you, Tony

steamwiz
2008-04-20, 22:55
The whole idea of you posting logs is so that I can see what has been removed ...

You're supposed to drop the CFScript into Combofix then post the log so that I can see what it's response was to the script ...

the log you posted was run on 2008-04-19 20:02:41

Completion at time: 2008-04-19 20:04:30

it is NOT the log from CFScript ... that would have a lot more information in it ...

THAT will be one of these
ComboFix2.txt 2008-04-20 02:59:35
ComboFix3.txt 2008-04-19 01:51:51
ComboFix4.txt 2008-04-19 01:44:17
ComboFix5.txt 2008-04-19 01:38:45

You'll find those files here :-

C:\ComboFix.txt
C:\ComboFix2.txt
C:\ComboFix3.txt
C:\ComboFix4.txt
C:\ComboFix5.txt

If you are going to edit the logs (hijackthis) ... not show me the correct logs, & run programs multiple times without telling me, which will in many cases overwrite and lose important information ... then I don't see how I can help you.

steam

mrbreezeet1
2008-04-21, 04:57
OK sorry, I think this is it.
As far as I know, I did not edit the Hijack this log.
Thanks, Tony

ComboFix 08-04-16.5 - A Diodati 2008-04-18 18:36:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.178 [GMT -7:00]
Running from: C:\Documents and Settings\A Diodati\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\A Diodati\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\jszituxm\jihidyha.exe
C:\WINDOWS\system32\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\WINDOWS\system32\gdcvklsh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\jszituxm
C:\Documents and Settings\All Users\Application Data\jszituxm\jihidyha.exe
C:\VundoFix Backups
C:\WINDOWS\system32\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 10:38 . 2008-04-18 10:38 98,304 --a------ C:\WINDOWS\system32\yjqvqdwj.exe
2008-04-15 21:09 . 2008-04-16 07:01 <DIR> d-------- C:\Temp\look mature NL
2008-04-12 02:49 . 2008-04-12 02:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-12 02:49 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-10 07:28 . 2008-04-10 07:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-10 07:28 . 2008-04-10 20:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 11:53 . 2008-04-09 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-09 11:53 . 2008-04-09 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-30 11:42 . 2008-03-30 11:43 <DIR> d-------- C:\Temp\Azlea_Previews

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 01:24 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\DMCache
2008-04-18 15:00 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\AVG7
2008-04-17 14:00 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\Zoom Player
2008-04-12 09:49 --------- d-----w C:\Program Files\Java
2008-04-10 00:59 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-10 00:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-09 18:53 --------- d-----w C:\Program Files\Lavasoft
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-02 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-02 22:25 --------- d-----w C:\Documents and Settings\A Diodati\Application Data\acccore
2008-03-02 22:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 16:54 --------- d-----w C:\Program Files\Ultra Video Splitter
2008-02-26 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-26 01:27 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-26 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp\Azlea_Previews ----

edited

---- Directory of C:\Temp\look mature NL ----

edited

((((((((((((((((((((((((((((( snapshot@2008-04-17_20.07.09.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-17 13:31:29 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
+ 2008-04-19 00:06:55 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 13:12 517632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-25 18:27 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 05:29:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 18:37:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-18 18:38:44
ComboFix-quarantined-files.txt 2008-04-19 01:38:29
ComboFix2.txt 2008-04-18 03:07:28

Pre-Run: 1,200,857,088 bytes free
Post-Run: 1,237,995,520 bytes free
.
2008-04-09 02:56:50 --- E O F ---

steamwiz
2008-04-21, 21:55
I see the temp folders contain porn, if you put it there, then fine ... but if it was downloaded without your knowledge, you can delete it.

I've edited it out, no need to advertise what's in the folders, & no need to leave it if it's not malware ...

They were newly created folders in the temp folder ... a place malware often hides ...

The log also showed this malware file :-

((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 10:38 . 2008-04-18 10:38 98,304 --a------ C:\WINDOWS\system32\yjqvqdwj.exe

But the previous Combofix log (I believe the newest) is clean ... so you must have deleted the above file ?

-
By editing hijackthis, I meant white-listing most of the entries ... a log with practically no entries tells me nothing ...

I believe you are now clean ... are you having any problems ?

steam

mrbreezeet1
2008-04-22, 00:00
I believe you are now clean ... are you having any problems ?

steam

No all seems to be well now.
Thanks for your help.
Tony

steamwiz
2008-04-22, 21:02
HI

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

http://img.photobucket.com/albums/v624/29wood/Clipboard01-1.gif

Happy surfing

steam