Guest bugmenot Posted November 3, 2008 ID:33443 Share Posted November 3, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:13:34 AM, on 11/3/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Steam\Steam.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: (no name) - {D545BDBA-727B-4661-8ED1-5600073CDC27} - c:\windows\system32\ascuijq.dll (file missing)O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO20 - Winlogon Notify: zfvlnnlm - ascuijq.dll (file missing)O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 1473 bytesMalwarebytes' Anti-Malware 1.30Database version: 1340Windows 5.1.2600 Service Pack 211/3/2008 4:16:57 AMmbam-log-2008-11-03 (04-16-54).txtScan type: Quick ScanObjects scanned: 38196Time elapsed: 1 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zfvlnnlm (Trojan.Vundo.H) -> No action taken.HKEY_CLASSES_ROOT\CLSID\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> No action taken.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\windows\system32\ascuijq.dll (Trojan.Vundo.H) -> No action taken. Link to post Share on other sites More sharing options...
Guest bugmenot Posted November 3, 2008 ID:33444 Share Posted November 3, 2008 ;***********************************************************************************************************************************************************************************ANALYSIS: 2008-11-03 04:17:46PROTECTIONS: 0MALWARE: 3SUSPECTS: 7;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00029434 spyware/virtumonde Spyware No 1 Yes No c:\windows\system32\appsetup.exe03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001138.exe03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001060.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001133.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001134.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0001135.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP4\A0000060.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP2\A0000013.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP5\A0002188.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP7\A0004283.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP9\A0004947.sys03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\drivers\zpajw.sys;===================================================================================================================================================================================SUSPECTSSent Location ڮ;===================================================================================================================================================================================No C:\Documents and Settings\Administrator\Desktop\New Folder\ComboFix.exe ڮNo C:\Documents and Settings\Administrator\Desktop\New Folder\ComboFix.exe[32788R22FWJFW\psexec.cfexe] ڮNo C:\Documents and Settings\Administrator\My Documents\mouse\mouse_programs.zip[usbmrs11.exe][umrs.exe] ڮNo C:\Documents and Settings\Administrator\My Documents\mouse\usbmrs11.exe[umrs.exe] ڮNo C:\Documents and Settings\Administrator\My Documents\oldcomputer stuff\mouse_programs.zip[usbmrs11.exe][umrs.exe]No C:\Documents and Settings\Administrator\Desktop\New Folder\ComboFix.exe[32788R22FWJFW\psexec.cfexe] ڮNo C:\Documents and Settings\Administrator\Desktop\New Folder\ComboFix.exe[32788R22FWJFW\psexec.cfexe] ڮ;===================================================================================================================================================================================VULNERABILITIESId Severity Description ڮ;=================================================================================================================================================================================== 184380 MEDIUM MS08-002 ڮ 184379 MEDIUM MS08-001 ڮ 182048 HIGH MS07-069 ڮ 182046 HIGH MS07-067 ڮ 182043 HIGH MS07-064 ڮ 179553 HIGH MS07-061 ڮ 176382 HIGH MS07-057 ڮ 176383 HIGH MS07-058 ڮ 170911 HIGH MS07-050 ڮ 170907 HIGH MS07-046 ڮ 170906 HIGH MS07-045 ڮ 170904 HIGH MS07-043 ڮ 164915 HIGH MS07-035 ڮ 164913 HIGH MS07-033 ڮ 164911 HIGH MS07-031 ڮ 160623 HIGH MS07-027 ڮ 157262 HIGH MS07-022 ڮ 157261 HIGH MS07-021 ڮ 157260 HIGH MS07-020 ڮ 157259 HIGH MS07-019 ڮ 156477 HIGH MS07-017 ڮ 150253 HIGH MS07-016 ڮ 150249 HIGH MS07-013 ڮ 150248 HIGH MS07-012 ڮ 150247 HIGH MS07-011 ڮ 150243 HIGH MS07-008 ڮ 150242 HIGH MS07-007 ڮ 150241 MEDIUM MS07-006 ڮ 141034 HIGH MS06-076 ڮ 141033 MEDIUM MS06-075 ڮ 141030 HIGH MS06-072 ڮ 137571 HIGH MS06-070 ڮ 137568 HIGH MS06-067 ڮ 133387 MEDIUM MS06-065 ڮ 133386 MEDIUM MS06-064 ڮ 133385 MEDIUM MS06-063 ڮ 133379 HIGH MS06-057 ڮ 131654 HIGH MS06-055 ڮ 129977 MEDIUM MS06-053 ڮ 129976 MEDIUM MS06-052 ڮ 126093 HIGH MS06-051 ڮ 126092 MEDIUM MS06-050 ڮ 126087 HIGH MS06-046 ڮ 126086 MEDIUM MS06-045 ڮ 126083 HIGH MS06-042 ڮ 126082 HIGH MS06-041 ڮ 126081 HIGH MS06-040 ڮ 123421 HIGH MS06-036 ڮ 123420 HIGH MS06-035 ڮ 120825 MEDIUM MS06-032 ڮ 120823 MEDIUM MS06-030 ڮ 120818 HIGH MS06-025 ڮ 120815 HIGH MS06-022 ڮ 120814 HIGH MS06-021 ڮ 117384 MEDIUM MS06-018 ڮ 114666 HIGH MS06-015 ڮ 114664 HIGH MS06-013 ڮ 108744 MEDIUM MS06-008 ڮ 108743 MEDIUM MS06-007 ڮ 108742 MEDIUM MS06-006 ڮ 104567 HIGH MS06-002 ڮ 104237 HIGH MS06-001 ڮ 96574 HIGH MS05-053 ڮ 93395 HIGH MS05-051 ڮ 93394 HIGH MS05-050 ڮ 93454 MEDIUM MS05-049 ڮ;===================================================================================================================================================================================Why does the sticky have a online scanner that u have to pay to remove? And the things it picks up is looking fishy ive used so many scanners past few days that didnt pick up all that. Anyway can someone help me remove this? Link to post Share on other sites More sharing options...
JeanInMontana Posted November 3, 2008 ID:33446 Share Posted November 3, 2008 Hello, you don't have to pay to remove. Delete ComboFix from your desktop. Your not taking action with MBAM. When you scan with it you need to check the boxes next to what it found and remove them.Update MBAM, scan again this time take action. Post that log and then the full HJT log. Link to post Share on other sites More sharing options...
Guest bugmenot Posted November 3, 2008 ID:33474 Share Posted November 3, 2008 Thanks for the replyMalwarebytes' Anti-Malware 1.30Database version: 1358Windows 5.1.2600 Service Pack 211/3/2008 11:00:28 AMmbam-log-2008-11-03 (11-00-28).txtScan type: Full Scan (A:\|C:\|D:\|)Objects scanned: 50483Time elapsed: 2 minute(s), 56 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 5Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zfvlnnlm (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kyfrsxnz (Rootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kyfrsxnz (Rootkit.Agent) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\windows\system32\ascuijq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\peli.sys (Rootkit.Agent) -> Quarantined and deleted successfully.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:06:40 AM, on 11/3/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\msiexec.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wpabaln.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: (no name) - {D545BDBA-727B-4661-8ED1-5600073CDC27} - c:\windows\system32\ascuijq.dll (file missing)O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO20 - Winlogon Notify: zfvlnnlm - ascuijq.dll (file missing)O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 1496 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted November 4, 2008 ID:33565 Share Posted November 4, 2008 Are you taking out part of the HJT log?Run HJT again in scan only and put a check next to these lines, then click fix.O2 - BHO: (no name) - {D545BDBA-727B-4661-8ED1-5600073CDC27} - c:\windows\system32\ascuijq.dll (file missing)O20 - Winlogon Notify: zfvlnnlm - ascuijq.dll (file missing)Reboot.Update MBAM run a quick scan post that log and a new HJT log. The full HJT log. Link to post Share on other sites More sharing options...
Guest bugmenot Posted November 5, 2008 ID:33594 Share Posted November 5, 2008 ogfile of Trend Micro HijackThis v2.0.2Scan saved at 6:57:30 PM, on 11/4/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Steam\Steam.exeC:\Program Files\Ventrilo\Ventrilo.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: (no name) - {D545BDBA-727B-4661-8ED1-5600073CDC27} - c:\windows\system32\ascuijq.dll (file missing)O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O20 - Winlogon Notify: zfvlnnlm - ascuijq.dll (file missing)O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 1720 bytes Link to post Share on other sites More sharing options...
Guest bugmenot Posted November 5, 2008 ID:33595 Share Posted November 5, 2008 Malwarebytes' Anti-Malware 1.30Database version: 1366Windows 5.1.2600 Service Pack 211/4/2008 7:06:14 PMmbam-log-2008-11-04 (19-06-14).txtScan type: Full Scan (A:\|C:\|D:\|)Objects scanned: 51364Time elapsed: 3 minute(s), 33 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zfvlnnlm (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\windows\system32\ascuijq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{CD1EB73B-00F4-4460-825B-0D743BF6942B}\RP9\A0005032.sys (Rootkit.Agent) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
JeanInMontana Posted November 5, 2008 ID:33610 Share Posted November 5, 2008 Look, for what ever reasons, your not doing as asked, your not posting a full log and your not doing as MBAM says. You have a rootkit, which means all information on the machine has been compromised, banking, credit cards etc, passwords. You need to change them all now. Notify the banks etc. The only sure way to remove a rootkit is reformat. Since you won't work with me. I suggest you do that. We have clear forum policy that states you will cooperate and will not alter logs. You are not cooperating and you are altering the HJT log. I'm done. Link to post Share on other sites More sharing options...
Guest bugmenot Posted November 5, 2008 ID:33618 Share Posted November 5, 2008 This is new to me. Im running hijack this, i click save log. I open the hijackthis.log, copy all the text and post here. I tweak xp using black vipers guide witch disables alot of xp services, i disable alot of start ups too. Im guessing this is why my log seems incomplete to you. Im just wondering if you would know of any way to delete this, it just keeps on coming back when i restart my pc. Link to post Share on other sites More sharing options...
JeanInMontana Posted November 5, 2008 ID:33624 Share Posted November 5, 2008 OK that might explain the missing stuff, and it might also explain why it doesn't show in your logs.Please find this file C:\WINDOWS\system32\nvsvc32.exe and attach it in a zipped folder here in a new topic you start, link back to your thread in the HJT forum please.But how are you doing a full scan in 3 minutes?Scan type: Full Scan (A:\|C:\|D:\|)Objects scanned: 51364Time elapsed: 3 minute(s), 33 second(s)You don't need to do a full scan, you do need to reboot for the delete when MBAM says so.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\zfvlnnlm (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{d545bdba-727b-4661-8ed1-5600073cdc27} (Trojan.Vundo.H) -> Delete on reboot.All those are delete on reboot. You have a rootkit, my advice about reformat is sincere, and the only way to be sure of removal. Link to post Share on other sites More sharing options...
JeanInMontana Posted November 13, 2008 ID:34724 Share Posted November 13, 2008 Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts