janflora
Members-
Posts
6 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by janflora
-
I dont know what to donext- please analyze
janflora replied to janflora's topic in Resolved Malware Removal Logs
OK hope this is right...pretty sure Sandboxie is off...thanks! janflora_rootrepeal.txt ROOTREPEAL © AD, 2007-2008 ================================================== Scan Time: 2009/02/03 00:41 Program Version: Version 1.2.3.0 Windows Version: Windows XP Media Center Edition SP3 ================================================== Drivers ------------------- Name: dump_iastor.sys Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys Address: 0xA10FA000 Size: 872448 File Visible: No Status: - Name: PCI_PNP6678 Image Path: \Driver\PCI_PNP6678 Address: 0x00000000 Size: 0 File Visible: No Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF76B2000 Size: 45056 File Visible: No Status: - Name: spei.sys Image Path: spei.sys Address: 0xF7411000 Size: 1048576 File Visible: No Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Status: - Hidden/Locked Files ------------------- Path: C:\Documents and Settings\janet\Local Settings\Temp\etilqs_5Lie2wTJvX82xWj21Yhq Status: Allocation size mismatch (API: 65536, Raw: 0) Path: C:\WINDOWS\system32\wbem\Logs\wbemcore.log Status: Size mismatch (API: 65039, Raw: 64947) Path: C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Log\log_20.trc Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Documents and Settings\ian\Local Settings\Apps\2.0\2Y5PQEEZ.0RA\1OAT52G6.V7T\manifests\WindowsApplication1.exe.cdf-ms Status: Locked to the Windows API! Path: C:\Documents and Settings\ian\Local Settings\Apps\2.0\2Y5PQEEZ.0RA\1OAT52G6.V7T\manifests\WindowsApplication1.exe.manifest Status: Locked to the Windows API! SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "spei.sys" at address 0xf74120e0 #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0xf7d615d4 #: 071 Function Name: NtEnumerateKey Status: Hooked by "spei.sys" at address 0xf7430ca2 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spei.sys" at address 0xf7431030 #: 119 Function Name: NtOpenKey Status: Hooked by "spei.sys" at address 0xf74120c0 #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0xf7d615c0 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0xf7d615c5 #: 160 Function Name: NtQueryKey Status: Hooked by "spei.sys" at address 0xf7431108 #: 177 Function Name: NtQueryValueKey Status: Hooked by "spei.sys" at address 0xf7430f88 #: 247 Function Name: NtSetValueKey Status: Hooked by "spei.sys" at address 0xf743119a #: 257 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0xf7d615cf #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "<unknown>" at address 0xf7d615ca Stealth Objects ------------------- Object: Hidden Module [Name: UIX.dll] Process: Zune.exe (PID: 2296) Address: 0x01060000 Size: 1683456 Object: Hidden Module [Name: UIX.renderapi.dll] Process: Zune.exe (PID: 2296) Address: 0x00f10000 Size: 692224 Object: Hidden Module [Name: ZuneShell.dll] Process: Zune.exe (PID: 2296) Address: 0x00e10000 Size: 987136 Object: Hidden Module [Name: ZuneDBApi.dll] Process: Zune.exe (PID: 2296) Address: 0x00fc0000 Size: 647168 Object: Hidden Module [Name: UIXcontrols.dll] Process: Zune.exe (PID: 2296) Address: 0x034d0000 Size: 2699264 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x873d41f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x868d51f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_READ] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_POWER] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: dmio, IRP_MJ_PNP] Process: System Address: 0x873661f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x8660a1f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_CREATE] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_CLOSE] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_POWER] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: iastor, IRP_MJ_PNP] Process: System Address: 0x873d61f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x873d71f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x860b21f8 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x8693a500 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x860a41f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_CREATE] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_CLOSE] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_READ] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_SHUTDOWN] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_CLEANUP] Process: System Address: 0x8602a1f8 Size: - Object: Hidden Code [Driver: Cdfsఉ瑎捦܉@考, IRP_MJ_PNP] Process: System Address: 0x8602a1f8 Size: - -
I dont know what to donext- please analyze
janflora replied to janflora's topic in Resolved Malware Removal Logs
Thanks again... here are the most recent logs...it sounds good [?] Malwarebytes' Anti-Malware 1.33 Database version: 1714 Windows 5.1.2600 Service Pack 3 2/1/2009 7:35:30 PM mbam-log-2009-02-01 (19-35-30).txt Scan type: Quick Scan Objects scanned: 60653 Time elapsed: 5 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:37:55 PM, on 2/1/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546 O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 4097 bytes -
I dont know what to donext- please analyze
janflora replied to janflora's topic in Resolved Malware Removal Logs
First of all...You guys rock...i am so glad someone understands this language! And I appreciate the help...I probably could have used it many times before! I do have some ?s- My son actually put Sandbox and BitTorrent on...I do not really use them, [or understand them] but I did tell him I thought there could be problems from the sharing thing [he plays a lot of games with other players, idk...] Is this our biggest problem? How can he play w/out file-sharing? I would appreciate an expert opinion b/c he's about to get cut off the comp Anyhoo...I did follow all steps to the best of my ability but one Java file would not delete ["cannot delete jusched.exe Access denied"] and one line I could not find at the final cleanout on HJT ["C;/Windows/Sys32/vtUkighh.dll].... but the records look good now Malwarebytes' Anti-Malware 1.33 Database version: 1711 Windows 5.1.2600 Service Pack 3 1/31/2009 12:42:02 AM mbam-log-2009-01-31 (00-42-02).txt Scan type: Quick Scan Objects scanned: 63708 Time elapsed: 5 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:44:10 AM, on 1/31/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file) O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe" O4 - HKCU\..\Run: [Azeroth Advisor Uploader] C:\Program Files\Azeroth Advisor Uploader\AzerothAdvisor.exe SILENT O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546 O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 5094 bytes One more question? How can I get Internet Explorer off? It has been messed up for a few months and I just started using Foxfire [which my son had on here already] but I cannot Add/Remove the IE program...is this advisable? I did finally get it off the default setting...sorry to be too much bother...i'm clueless Thank you again! -
I dont know what to donext- please analyze
janflora replied to janflora's topic in Resolved Malware Removal Logs
Thank you....sorry it took me awhile to get back...we tried restarting last night [w/ old version] and added Avira too...now I did it w/ the new MWB....here are the logs...thank you! Malwarebytes' Anti-Malware 1.33 Database version: 1707 Windows 5.1.2600 Service Pack 3 1/29/2009 8:24:28 PM mbam-log-2009-01-29 (20-24-28).txt Scan type: Quick Scan Objects scanned: 60869 Time elapsed: 4 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\3J4FWLIH\CAC9GXSR (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\3J4FWLIH\CAD3V1C4 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\3J4FWLIH\CAH42XD7 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\CAAFMLMX (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\CAEZOXU7 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\CAO5U51E (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CA270L2Z (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CA87694B (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CAEBS52F (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CAIV45QF (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WLCTEVWD\CAT46PX3 (Trojan.Vundo) -> Quarantined and deleted successfully. and HIJACK: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:27:31 PM, on 1/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\DNA\btdna.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {E31DDF3A-5E5D-476C-A9D5-47A1C85EDF37} - C:\WINDOWS\system32\vtUkighh.dll (file missing) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file) O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (file missing) O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe" O4 - HKCU\..\Run: [Azeroth Advisor Uploader] C:\Program Files\Azeroth Advisor Uploader\AzerothAdvisor.exe SILENT O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.antimalwareguard.com O15 - Trusted Zone: *.antispyexpert.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.spyguardpro.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusremover2008.com O15 - Trusted Zone: *.virusschlacht.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546 O20 - AppInit_DLLs: jkdjhw.dll,gxgcdd.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 6439 bytes The comp is already faster! maybe its good now?...fingers crossed... -
I dont know what to donext- please analyze
janflora replied to janflora's topic in Resolved Malware Removal Logs
somehow "I would appreciate any advice or wisdom" got half deleted... i am anxiously awaiting a response...anyone? -
I had some silly promo pop up which panicked me to do a virus scan. My son had put AVG Virus prog on here but apparently its disabled or missing [says no components now] So I immediately ran Malwarebytes and had 23 files infected!! I chose remove all then noticed the sys32 files which is bad right? I am anxious [scared!] about rebooting to delete some of these files...but also concerned about the Trojans of course...We just had comp serviced last week and I cannot lose any more worktime! help! here is mwb log: Malwarebytes' Anti-Malware 1.23 Database version: 985 Windows 5.1.2600 Service Pack 3 2:27:21 PM 1/28/2009 mbam-log-1-28-2009 (14-27-21).txt Scan type: Quick Scan Objects scanned: 44278 Time elapsed: 17 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 4 Registry Keys Infected: 10 Registry Values Infected: 2 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\vtUkighh.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\xhcjofni.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\jkdjhw.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\geBrppqo.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d92af15-a7c1-4cbd-9eec-bee8163a5343} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1d92af15-a7c1-4cbd-9eec-bee8163a5343} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e31ddf3a-5e5d-476c-a9d5-47a1c85edf37} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{e31ddf3a-5e5d-476c-a9d5-47a1c85edf37} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebrppqo (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28ef570b (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtukighh -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtukighh -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\jkdjhw.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\vtUkighh.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\hhgikUtv.ini (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\hhgikUtv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\xhcjofni.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\infojchx.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\geBrppqo.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\system32\vciuswyj.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\IJIX694D\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\ian\Local Settings\Temporary Internet Files\Content.IE5\WT85QZM5\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fccbYpQH.dll (Trojan.Vundo) -> Quarantined and deleted successfully. and Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:37:07 PM, on 1/28/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe C:\Program Files\DNA\btdna.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgscanx.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\hh.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://next.my.msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: {6efa1882-7936-73fb-c9b4-17ef3bb202d4} - {4d202bb3-fe71-4b9c-bf37-63972881afe6} - C:\WINDOWS\system32\gxgcdd.dll O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\geBrppqo.dll O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - C:\WINDOWS\system32\ejdbampp.dll O2 - BHO: (no name) - {8632ABCA-B104-4FBC-9C70-419C4147061B} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: (no name) - {E31DDF3A-5E5D-476C-A9D5-47A1C85EDF37} - C:\WINDOWS\system32\vtUkighh.dll (file missing) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - (no file) O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (file missing) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [smileboxTray] "C:\Documents and Settings\janet\Application Data\Smilebox\SmileboxTray.exe" O4 - HKCU\..\Run: [Azeroth Advisor Uploader] C:\Program Files\Azeroth Advisor Uploader\AzerothAdvisor.exe SILENT O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.2.11\ilikesidebar.exe /checkforupdate (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.antimalwareguard.com O15 - Trusted Zone: *.antispyexpert.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.spyguardpro.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusremover2008.com O15 - Trusted Zone: *.virusschlacht.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189536675546 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll jkdjhw.dll gxgcdd.dll O20 - Winlogon Notify: geBrppqo - C:\WINDOWS\SYSTEM32\geBrppqo.dll O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 7464 bytes I would app