View Full Version : Help with SmithfraudC, Virtumonde, Virtumonde.generic
Would be greatly appreciate help in removing these problems. Tea Timer has been turned off and ResetTeaTimer.bat file was run. See HJT log below. When I ran HJT error was encountered and HJT was closed. Thank you in advance for your help with this problem.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:22 PM, on 12/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Utilities\AdAware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ASUS\AASP\1.00.63\aaCenter.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\JZT\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Probe2.exe.lnk = C:\Program Files\ASUS\PC Probe II\Probe2.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229204239593
O20 - AppInit_DLLs: srspqt.dll C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Utilities\AdAware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4525 bytes
shelf life
2008-12-29, 20:20
hi Disker,
your log is 4 or 5 days old. If you still need help simply reply to the post.
Hello shelf life, yes I do still need help removing virtumonde and smithfraudC.
Please let me know if you need anything from my end to start this process.
Thanks!
shelf life
2008-12-30, 16:05
hi,
ok we will start with another download to check for malware. Link and directions:
Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:
http://www.malwarebytes.org/mbam.php
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
please post the MBAM log in reply
hello shelf life, here is the mbam log.
I did receive a message that a reboot was needed to remove certain items. I did reboot to allow the removal. I did connect to internet to allow mbam to update, only. I am using another to communicated and post logs via flash drive.
Thanks!
Malwarebytes' Anti-Malware 1.31
Database version: 1574
Windows 5.1.2600 Service Pack 2
12/30/2008 9:45:57 AM
mbam-log-2008-12-30 (09-45-57).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 55116
Time elapsed: 3 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\yayvSJAQ.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rqRIaWnk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\srspqt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rweddrbt.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ffc238d-fd0d-48bf-bd01-e7684d5e2bef} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2ffc238d-fd0d-48bf-bd01-e7684d5e2bef} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqriawnk (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbcabd6b-38f7-40ef-b29c-ccbb61ff966e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{dbcabd6b-38f7-40ef-b29c-ccbb61ff966e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{dbcabd6b-38f7-40ef-b29c-ccbb61ff966e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayvsjaq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayvsjaq -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\rysovc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRIaWnk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yayvSJAQ.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\QAJSvyay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\QAJSvyay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\srspqt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rweddrbt.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\JZT\Local Settings\Temp\KB908288.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\JZT\Local Settings\Temporary Internet Files\Content.IE5\QBABXU22\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{40EB69F8-F480-4FE8-9508-2AB428C693AB}\RP13\A0000414.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rsmxbvnf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnmnklK.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
shelf life
2008-12-30, 19:41
hi,
ok good. we will get one more download to use. Its called combofix. There is a guide you can read which will explain all about it. Once you start just follow the prompts and post the combofix log in your reply.
the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Hi shelf life, here is the combofix log. Near the end of the scan it rebooted the computer. When the system loaded I received a warning about my antivirus starting again. I disabled it and the firewall and then continued as indicated.
Thanks!
ComboFix 08-12-30.01 - JZT 2008-12-30 22:49:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1662 [GMT -5:00]
Running from: c:\documents and settings\JZT\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 080826-0] *On-access scanning disabled* (Outdated)
FW: COMODO Firewall Pro *enabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\JZT\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\eibpiufo.ini
c:\windows\Tasks\nbgursbp.job
c:\windows\Temp\tmp3.tmp
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))
.
2008-12-30 09:52 . 2008-12-30 09:52 0 --a------ c:\windows\system32\drivers\aajullo.sys
2008-12-30 09:31 . 2008-12-30 09:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 09:31 . 2008-12-30 09:31 <DIR> d-------- c:\documents and settings\JZT\Application Data\Malwarebytes
2008-12-30 09:31 . 2008-12-30 09:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-30 09:31 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 09:31 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-18 00:02 . 2008-12-18 00:02 <DIR> d-------- c:\program files\Alwil Software
2008-12-17 23:25 . 2008-12-17 23:25 <DIR> d-------- c:\program files\COMODO
2008-12-17 23:25 . 2008-12-17 23:25 <DIR> d-------- c:\documents and settings\JZT\Application Data\Comodo
2008-12-17 23:25 . 2008-12-17 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2008-12-17 23:25 . 2008-12-17 23:25 143,104 --a------ c:\windows\system32\guard32.dll
2008-12-17 23:25 . 2008-12-17 23:25 87,056 --a------ c:\windows\system32\drivers\cmdguard.sys
2008-12-17 23:25 . 2008-12-17 23:25 24,208 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-12-14 22:47 . 2008-12-14 22:47 185 --a------ c:\windows\wininit.ini
2008-12-14 20:32 . 2008-12-14 22:50 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-14 20:32 . 2008-12-17 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 20:23 . 2008-12-14 20:23 <DIR> d-------- c:\program files\Foxit Software
2008-12-13 17:17 . 2008-08-14 05:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-13 17:17 . 2008-08-14 04:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-13 17:17 . 2008-08-14 04:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-13 17:17 . 2008-08-14 04:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-13 17:16 . 2008-10-24 06:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-13 16:56 . 2008-12-17 19:53 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-13 16:42 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-13 16:42 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-13 16:42 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-13 16:42 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-13 16:42 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-09 21:31 . 2008-12-09 21:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-09 21:29 . 2008-12-09 21:29 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-09 20:59 . 2008-12-09 23:10 <DIR> d-------- c:\program files\Utilities
2008-12-09 20:12 . 2004-08-03 23:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-12-09 17:04 . 2008-12-09 17:04 <DIR> d---s---- c:\documents and settings\JZT\UserData
2008-12-09 16:57 . 2008-12-09 16:57 13,646 --a------ c:\windows\system32\wpa.bak
2008-12-05 19:42 . 2008-12-05 19:42 <DIR> d-------- c:\program files\FastAccessDSL
2008-12-05 19:42 . 2008-12-05 19:42 <DIR> d-------- c:\program files\Common Files\SupportSoft
2008-12-05 19:42 . 2008-06-18 00:12 1,230,336 --a------ c:\windows\system32\msxml4.dll
2008-12-05 19:38 . 2008-12-05 19:38 <DIR> d-------- c:\program files\AT&T
2008-12-05 19:38 . 2008-12-05 19:38 <DIR> d-------- c:\documents and settings\JZT\Application Data\AT&T
2008-12-05 19:38 . 2008-12-05 19:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2008-12-05 19:35 . 2008-12-05 19:35 <DIR> d-------- c:\program files\ATTToolbar
2008-12-05 19:35 . 2008-12-09 16:56 <DIR> d-------- c:\documents and settings\JZT\Application Data\ATTToolbar
2008-12-05 19:35 . 2008-12-30 09:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATTToolbar
2008-12-05 19:31 . 2008-12-05 19:31 <DIR> d-------- c:\program files\Yahoo!
2008-12-05 18:38 . 2008-12-05 19:38 <DIR> d-------- c:\program files\Common Files\Motive
2008-12-05 18:38 . 2008-12-05 18:38 <DIR> d-------- c:\program files\ATT-HSI
2008-12-05 18:38 . 2008-12-05 19:00 <DIR> d-------- c:\documents and settings\JZT\Application Data\Motive
2008-12-05 18:25 . 2008-12-05 18:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2008-11-25 03:36 . 2008-11-25 03:36 <DIR> d-------- c:\windows\nview
2008-11-25 03:36 . 2008-01-03 17:26 360,448 --a------ c:\windows\system32\nvudisp.exe
2008-11-25 03:36 . 2008-12-30 22:51 160,827 --a------ c:\windows\system32\nvapps.xml
2008-11-25 03:36 . 2008-01-03 17:26 17,737 --a------ c:\windows\system32\nvdisp.nvu
2008-11-25 03:35 . 2008-01-03 20:43 360,448 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-25 03:18 . 2008-11-25 18:01 <DIR> d-------- c:\program files\ASUS
2008-11-25 03:18 . 2006-01-10 03:50 24,576 -ra------ c:\windows\system32\AsIO.dll
2008-11-25 03:18 . 2007-12-17 04:14 12,400 -ra------ c:\windows\system32\drivers\AsIO.sys
2008-11-25 03:18 . 2008-01-04 13:34 11,832 --a------ c:\windows\system32\drivers\AsInsHelp64.sys
2008-11-25 03:18 . 2008-01-04 13:34 10,216 --a------ c:\windows\system32\drivers\AsInsHelp32.sys
2008-11-25 03:12 . 2008-11-25 03:12 <DIR> d-------- c:\windows\system32\drivers\system32
2008-11-25 03:12 . 2008-11-25 03:12 <DIR> d-------- c:\windows\system32\drivers\INF
2008-11-25 03:11 . 2008-11-25 03:11 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-25 03:11 . 2008-11-25 03:11 <DIR> d-------- c:\program files\Intel
2008-11-25 03:11 . 2008-06-04 01:55 53,248 -ra------ c:\windows\system32\CSVer.dll
2008-11-25 03:09 . 2008-11-25 03:09 <DIR> d-------- C:\Intel
2008-11-25 03:07 . 2008-11-25 03:07 <DIR> d-------- c:\windows\system32\Lang
2008-11-25 03:07 . 2008-11-25 03:07 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2008-11-25 03:07 . 2008-11-25 03:07 146,650 --a------ c:\windows\system32\BuzzingBee.wav
2008-11-25 03:06 . 2007-11-14 02:18 553 -r------- c:\windows\USetup.iss
2008-11-25 03:04 . 2008-11-25 03:04 <DIR> d-------- c:\program files\Realtek
2008-11-25 03:04 . 2008-11-25 03:18 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-11-25 03:03 . 2008-11-25 03:03 <DIR> d-------- c:\program files\Marvell
2008-11-25 03:01 . 2008-11-25 03:01 <DIR> d-------- c:\windows\system32\Atheros_L1e
2008-11-25 03:01 . 2008-11-25 18:01 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-11-25 03:01 . 2008-06-25 11:47 36,864 -ra------ c:\windows\system32\drivers\l1e51x86.sys
2008-11-25 02:57 . 2008-11-25 02:57 <DIR> dr------- c:\windows\AsDmiHtm
2008-11-25 02:54 . 2008-11-25 18:00 37,245 --a------ c:\windows\Ascd_tmp.ini
2008-11-25 02:54 . 2007-12-28 10:22 10,296 --a------ c:\windows\system32\drivers\ASUSHWIO.SYS
2008-11-25 02:54 . 2004-08-13 05:56 5,810 -ra------ c:\windows\system32\drivers\ASACPI.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 08:04 315,392 ----a-w c:\windows\HideWin.exe
2008-11-14 12:10 --------- d-----w c:\program files\microsoft frontpage
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"="c:\program files\ASUS\EPU-6 Engine\SixEngine.exe" [2008-06-03 5964800]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"MSConfig"="c:\windows\pchealth\helpctr\binaries\msconfig.exe" [2007-07-27 158208]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-12-17 1655552]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-01-03 c:\windows\system32\nwiz.exe]
c:\documents and settings\JZT\Start Menu\Programs\Startup\
Probe2.exe.lnk - c:\program files\ASUS\PC Probe II\Probe2.exe [2008-11-25 2137088]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
--a------ 2008-06-18 00:13 198184 c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
R0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2008-06-23 150568]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-18 78416]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-12-17 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-12-17 24208]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-18 20560]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-11-25 36864]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 22:53:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬ r*e*f*e*r*a*t*e*.*d*e*]
@Owner=S-1-5-21-839522115-1547161642-2147188803-1003
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n* r*e*f*e*r*a*t*e*.*d*e*]
@Owner=S-1-5-21-839522115-1547161642-2147188803-1003
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬ r*e*f*e*r*a*t*e*.*d*e*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*a*u*s*a*u*f*g*a*b*e*n* r*e*f*e*r*a*t*e*.*d*e*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\S-1-5-21-839522115-1547161642-2147188803-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬ r*e*f*e*r*a*t*e*.*d*e*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-839522115-1547161642-2147188803-1003
@Allowed: (Full) (S-1-5-21-839522115-1547161642-2147188803-1003)
@Allowed: (Full) (S-1-5-21-839522115-1547161642-2147188803-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004
[HKEY_USERS\S-1-5-21-839522115-1547161642-2147188803-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n* r*e*f*e*r*a*t*e*.*d*e*]
@Security=(SE_DACL_PRESENT SE_SELF_RELATIVE (@Owner @Group @DACL)
@Owner=S-1-5-21-839522115-1547161642-2147188803-1003
@Allowed: (Full) (S-1-5-21-839522115-1547161642-2147188803-1003)
@Allowed: (Full) (S-1-5-21-839522115-1547161642-2147188803-1003)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (LocalSystem)
@Allowed: (Full) (Administrators)
@Allowed: (Full) (Administrators)
@Allowed: (Read) (S-1-5-12)
@Allowed: (Read) (S-1-5-12)
"*"=dword:00000004
[HKEY_USERS\S-1-5-21-839522115-1547161642-2147188803-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬ r*e*f*e*r*a*t*e*.*d*e*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_USERS\S-1-5-21-839522115-1547161642-2147188803-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*a*u*s*a*u*f*g*a*b*e*n* r*e*f*e*r*a*t*e*.*d*e*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬ r*e*f*e*r*a*t*e*.*d*e*]
@Owner=S-1-5-21-839522115-1547161642-2147188803-1003
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\h*a*u*s*a*u*f*g*a*b*e*n* r*e*f*e*r*a*t*e*.*d*e*]
@Owner=S-1-5-21-839522115-1547161642-2147188803-1003
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*a*u*s*a*u*f*g*a*b*e*n*â*¬ r*e*f*e*r*a*t*e*.*d*e*]
@Security="Inherited"
"*"=dword:00000004
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\h*a*u*s*a*u*f*g*a*b*e*n* r*e*f*e*r*a*t*e*.*d*e*]
@Security="Inherited"
"*"=dword:00000004
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Utilities\AdAware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\COMODO\Firewall\cmdagent.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\ASUS\AASP\1.00.63\aaCenter.exe
.
**************************************************************************
.
Completion time: 2008-12-30 22:53:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-31 03:53:37
Pre-Run: 45,524,606,976 bytes free
Post-Run: 45,535,416,320 bytes free
232 --- E O F --- 2008-12-14 02:45:08
shelf life
2008-12-31, 06:58
hi,
ok good. thanks for the info. you can remove combofix like this:
start>run and type in:
combofix /u
click ok or enter
Note: There is a space after the x and before the /
run MBAM once more and post the log. also rescan and post a new hjt log also.
Hi shelf life, thanks for the quick response! Here are the requested logs.
Thanks for your help!
Malwarebytes' Anti-Malware 1.31
Database version: 1574
Windows 5.1.2600 Service Pack 2
12/31/2008 12:17:05 AM
mbam-log-2008-12-31 (00-17-05).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 52339
Time elapsed: 2 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
*********************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:10 AM, on 12/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Utilities\AdAware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\ASUS\AASP\1.00.63\aaCenter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\JZT\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-6 Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Probe2.exe.lnk = C:\Program Files\ASUS\PC Probe II\Probe2.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229204239593
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Utilities\AdAware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4589 bytes
shelf life
2009-01-01, 00:05
hi,
ok thanks. Keep malwarebytes and always check for updates before scanning. the paid version offers auto-updating and real time protection.
If all is good, some tips for you on avoiding malware:
Reducing Your Risk To Malware:
The Short Version
1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" vulnerabilities. Always install Service Packs.
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons.
3) Install and keep them all updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.
4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.
5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?
7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent malware from installing.
8) Install a third party software firewall.
9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used.
10) If your habits include: warez,cracks etc or installing files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another potential malware source?
More info in link below.
Happy Safe Surfing.
Hi shelf life,
Thank you very much for your help in resolving this problem. I'm glad there are people out there like yourself to help the less knowledgeable. I will follow the additional advice given.
I will run the system and see how it acts. I will let you know in a couple of days how the system is working, or if anything out of the ordinary shows up.
Thanks! again and have a happy and safe new year.
shelf life
2009-01-01, 15:52
hi Disker,
Thanks your welcome. Happy Safe Surfing.