Check this out real quick... - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > Viruses, Spyware and Malware > HijackThis Logs (finished)
Click Here to Login
 
 
Thread Tools Display Modes
 
Old 10-09-2009, 07:08 PM   #1 (permalink)
Lord Techie
 
Join Date: Feb 2005
Location: asdf
Posts: 8,880
Default Check this out real quick...

Here is a bit of history... Installed sp3 and such on my computer, after a fresh reformat... Installed AVG, Malwarebytes, Adaware 2009, and so on as normal...

Went to a site that shall remain nameless, and for the first time ever visiting said site, I ended up with a infection... I have pinpointed it to be a form of a Vundo infection...

Here is the kicker... After following osiris guide and doing SEVERAL things that I normaly would, I still, have an infection of some form, and it keeps reapearing..

So, someone else, check my hijackthis log and let me know if they see anything wrong...

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:42 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Scotts Computer Repair
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [StealthBot Launcher v1.2] "C:\Program Files\StealthBot 2.7\Launcher.exe" -LaunchProfile "Charles R. Scott"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1255042617599
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5034 bytes
__________________

c0rr0sive is offline  
Old 10-09-2009, 07:23 PM   #2 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Re: Check this out real quick...

Can I see the combofix and malwarebytes log?
__________________

__________________
Osiris is offline  
Old 10-09-2009, 07:37 PM   #3 (permalink)
Lord Techie
 
Join Date: Feb 2005
Location: asdf
Posts: 8,880
Default Re: Check this out real quick...

Here is the combofix log that I just got done with, malwarebytes... Yeah, that will take me another hour, again...

I have also ran SDFix, and it appears that SDFix contains the same things that combofix does....

Quote:
ComboFix 09-10-08.04 - Charles R. Scott 10/09/2009 19:20.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1638 [GMT -4:00]
Running from: c:\documents and settings\Charles R. Scott\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-372580491-4117983620-1091125174-1000

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ISASDK


((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.

2009-10-09 23:03 . 2009-10-09 23:03 -------- d-----w- c:\program files\Trend Micro
2009-10-09 23:02 . 2009-10-09 23:02 -------- d-sh--w- c:\documents and settings\Charles R. Scott\PrivacIE
2009-10-09 22:41 . 2009-10-09 22:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-09 22:33 . 2009-10-09 22:33 -------- d-sh--w- c:\documents and settings\Charles R. Scott\IETldCache
2009-10-09 22:22 . 2009-10-09 22:23 -------- dc-h--w- c:\windows\ie8
2009-10-09 22:01 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-09 22:01 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-10-09 22:00 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-10-09 22:00 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-09 22:00 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-09 22:00 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-10-09 22:00 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-09 21:59 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-10-09 21:59 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-10-09 21:58 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-09 21:58 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-09 21:56 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-10-09 21:56 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-09 21:56 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-10-09 21:56 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-10-09 05:20 . 2009-10-09 05:20 -------- d-----w- c:\program files\Synaptics
2009-10-09 05:20 . 2007-04-27 20:34 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-10-09 05:20 . 2007-04-27 19:49 143360 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-10-09 05:20 . 2007-04-27 19:42 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2009-10-09 05:20 . 2007-04-27 19:42 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-10-09 05:20 . 2007-04-27 19:37 202912 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-10-09 05:20 . 2009-10-09 05:20 -------- d-----w- c:\program files\CONEXANT
2009-10-09 05:18 . 2007-05-06 21:10 405504 ----a-w- c:\windows\stsystra.exe
2009-10-09 05:17 . 2009-10-09 05:17 -------- d-----w- c:\windows\system32\vmm32
2009-10-09 05:17 . 2009-10-09 05:17 -------- d-----w- c:\program files\Dell
2009-10-09 05:16 . 2009-10-09 06:02 -------- d-----w- c:\documents and settings\Charles R. Scott\Application Data\vlc
2009-10-09 05:12 . 2009-10-09 05:12 2285056 ----a-w- c:\windows\system32\TUKernel.exe
2009-10-09 04:51 . 2008-09-10 01:14 1307648 -c----w- c:\windows\system32\dllcache\msxml6.dll
2009-10-09 04:51 . 2008-04-14 02:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2009-10-09 04:51 . 2007-06-26 15:30 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2009-10-09 04:51 . 2007-06-26 15:26 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2009-10-09 04:43 . 2009-10-09 04:43 -------- d-----w- c:\windows\ServicePackFiles
2009-10-09 04:42 . 2008-04-14 09:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2009-10-09 04:26 . 2008-06-12 13:46 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2009-10-09 04:26 . 2008-06-12 13:46 20992 ----a-w- c:\windows\system32\vncmirror.dll
2009-10-09 04:26 . 2009-10-09 04:26 -------- d-----w- c:\program files\RealVNC
2009-10-09 04:01 . 2009-10-09 04:01 -------- d-----w- c:\program files\VideoLAN
2009-10-09 04:00 . 2003-06-18 21:31 17920 ----a-w- c:\windows\system32\mdimon.dll
2009-10-09 04:00 . 2009-10-09 04:00 -------- d-----w- c:\program files\Microsoft.NET
2009-10-09 04:00 . 2009-10-09 04:00 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-09 04:00 . 2009-10-09 04:00 -------- d-----w- c:\windows\SHELLNEW
2009-10-09 03:58 . 2009-10-09 03:58 -------- d-----r- C:\MSOCache
2009-10-09 03:54 . 2009-10-09 03:55 -------- d-----w- c:\program files\WinISD
2009-10-09 03:31 . 2009-10-09 03:31 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-09 03:31 . 2008-12-11 17:31 27904 ----a-w- c:\windows\system32\uxtuneup.dll
2009-10-09 03:31 . 2009-10-09 03:31 360192 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-09 03:31 . 2009-10-09 03:31 -------- d-----w- c:\documents and settings\Charles R. Scott\Application Data\TuneUp Software
2009-10-09 03:30 . 2009-10-09 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-10-09 03:30 . 2009-10-09 03:30 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-10-09 03:30 . 2009-10-09 03:30 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-10-09 03:06 . 2009-10-09 03:06 -------- d-----w- c:\documents and settings\Charles R. Scott\Application Data\Malwarebytes
2009-10-09 02:30 . 2009-10-09 02:30 12328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-09 02:22 . 2009-10-09 02:22 -------- d-----w- c:\windows\ERUNT
2009-10-09 02:17 . 2007-02-16 09:05 14464 ----a-w- c:\windows\system32\drivers\fanio.sys
2009-10-09 02:17 . 2009-10-09 02:17 -------- d-----w- c:\program files\I8kfanGUI
2009-10-09 02:13 . 2009-10-09 02:13 -------- d-----w- C:\VundoFix Backups
2009-10-09 01:40 . 2009-10-09 01:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-09 01:40 . 2009-10-09 03:49 -------- d-----w- C:\SDFix
2009-10-09 01:40 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 01:40 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 01:40 . 2009-10-09 22:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 01:40 . 2009-10-09 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 01:40 . 2009-10-09 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-09 01:40 . 2009-10-09 01:40 -------- d-----w- c:\program files\Lavasoft
2009-10-09 01:39 . 2009-10-09 01:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-09 01:28 . 2009-10-09 01:28 -------- d-----w- C:\$AVG8.VAULT$
2009-10-09 00:33 . 2009-10-09 00:33 -------- d-----w- c:\windows\system32\LogFiles
2009-10-08 23:14 . 2009-10-08 23:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-08 23:14 . 2009-10-08 23:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-08 23:14 . 2009-10-08 23:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-08 23:14 . 2009-10-08 23:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-08 23:14 . 2009-10-09 21:58 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-08 23:14 . 2009-10-08 23:14 -------- d-----w- c:\program files\AVG
2009-10-08 23:14 . 2009-10-08 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-08 23:13 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-08 22:58 . 2008-10-16 18:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-10-08 22:56 . 2009-10-08 22:56 -------- d-s---w- c:\documents and settings\Charles R. Scott\UserData
2009-10-08 22:32 . 2009-10-08 22:32 -------- d-----w- c:\documents and settings\Charles R. Scott\Application Data\StealthBot
2009-10-08 22:32 . 2009-10-09 04:07 -------- d-----w- c:\program files\StealthBot 2.7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-09 05:20 . 2009-10-09 05:18 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-09 05:18 . 2009-10-09 05:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-09 05:18 . 2009-10-09 05:18 -------- d-----w- c:\program files\SigmaTel
2009-10-09 04:10 . 2009-10-08 18:32 17456 ----a-w- c:\documents and settings\Charles R. Scott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 18:32 . 2009-10-08 14:04 56860 ----a-w- c:\windows\system32\nvModes.dat
2009-10-08 18:13 . 2009-10-08 18:13 -------- d-----w- c:\program files\microsoft frontpage
2009-10-08 18:09 . 2009-10-08 18:09 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-12 06:09 . 2009-09-12 06:09 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2009-09-12 06:09 . 2009-09-12 06:09 150528 ----a-w- c:\windows\system32\TLBINF32.DLL
2009-08-05 09:01 . 2006-02-28 11:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2006-02-28 11:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2006-02-28 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2006-02-28 11:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2006-02-28 11:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"i8kfangui"="c:\program files\I8kfanGUI\I8kfanGUI.exe" [2007-02-16 856064]
"StealthBot Launcher v1.2"="c:\program files\StealthBot 2.7\Launcher.exe" [2009-10-07 37896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2007-05-12 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-08 2023704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-05-12 67584]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-05-06 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-08 23:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/8/2009 7:14 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/8/2009 7:14 PM 108552]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [10/8/2009 10:17 PM 14464]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/8/2009 7:14 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/8/2009 7:14 PM 297752]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [10/8/2009 11:31 PM 603904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-12 01:36]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - e:\antivirus and tech tools\HijackThis.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-10-09 19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2272)
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
************************************************** ************************
.
Completion time: 2009-10-09 19:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-09 23:30

Pre-Run: 12,764,176,384 bytes free
Post-Run: 12,689,469,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect /TUTag=WRAV7G /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=WRAV7G-BAK

218
c0rr0sive is offline  
Old 10-09-2009, 07:41 PM   #4 (permalink)
Lord Techie
 
Join Date: Feb 2005
Location: asdf
Posts: 8,880
Default Re: Check this out real quick...

Here is the malwarebytes scans... I have performed multiple scans one under both the admin and my main account...

Quote:
Malwarebytes' Anti-Malware 1.41
Database version: 2933
Windows 5.1.2600 Service Pack 3

10/9/2009 7:13:53 PM
mbam-log-2009-10-09 (19-13-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 122809
Time elapsed: 37 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6 to4 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\6 to4 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\6to4 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\isasdk (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\6to4v32.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\isasdk.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\minix32.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c0rr0sive is offline  
Old 10-09-2009, 07:50 PM   #5 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Re: Check this out real quick...

So after running those 2 programs, is the infection still there?
__________________
Osiris is offline  
Old 10-09-2009, 07:52 PM   #6 (permalink)
Lord Techie
 
Join Date: Feb 2005
Location: asdf
Posts: 8,880
Default Re: Check this out real quick...

After a few restarts, if I run Malwarebytes, AVG complains about an infection, and malwarebytes also picks up, I have turned restore points off, and wiped out my temp files/recycle bin each and every time... I have also disabled all addons for IE8...
c0rr0sive is offline  
Old 10-09-2009, 08:01 PM   #7 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Re: Check this out real quick...

Run this

VundoFix by Atribune
__________________
Osiris is offline  
Old 10-09-2009, 08:07 PM   #8 (permalink)
Lord Techie
 
Join Date: Feb 2005
Location: asdf
Posts: 8,880
Default Re: Check this out real quick...

I ran that last night, and it said it removed the infection... I guess I will run it again, looks like I didn't have the latest version of it though...
c0rr0sive is offline  
Old 10-10-2009, 01:00 AM   #9 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Re: Check this out real quick...

Any results?
__________________
Osiris is offline  
Old 10-10-2009, 06:55 PM   #10 (permalink)
Lord Techie
 
Join Date: Feb 2005
Location: asdf
Posts: 8,880
Default Re: Check this out real quick...

Vundo fix found nothing, but while I was browsing some startup items in the windows services I found a service trying to imitate punkbuster, which I don't have any games on this computer, yet alone punkbuster, disabled the service while under safemode and ran malwarebytes along with sdfiix and I no longer get anything...

But the reasoning behind why I asked for your input is because Malwarebytes would show vundo after a few restarts... And sorry for the long responce, I don't have internet at home and have to travel to town to get online.

Issue is now resolved, thanks for the help.
__________________

c0rr0sive is offline  
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Quick Batch File Help SchoolBoy Programming 7 09-18-2008 11:33 AM
My Hijackthis log file, please help! soarwitheagles HijackThis Logs (finished) 1 08-31-2008 01:11 PM
Quick check before i buy.. Joeyboy New Systems | Building and Buying 4 08-16-2008 07:06 AM
Disk check scheduled won't go away darkop16 Hardware Repairs and Troubleshooting 0 06-14-2008 02:05 PM



Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 12:12 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.