Avast WEBforum
Other => Viruses and worms => Topic started by: daronmiller on May 26, 2007, 03:44:31 AM
-
I have a ..... something.... thats keeps sending emails from my PC (as advised by outgoing message scan from Avast). I've run MULTIPLE spyware/trojan/etc utilities, finding NOTHING (that i haven't fixed). It still keeps sending emails (unless I shut down my network connection). I've also killed just about every running process hoping to find the process doing this.
I have hijack-this (if it helps). Ok, now that I have tried every concievable thing I can think of...PLEASE HELP!!!!
(I sure hope spelling is OPTIONAL on this board :)
-
I have hijack-this (if it helps).
Go ahead and post a log, but don't fix anything yet.
I sure hope spelling is OPTIONAL on this board :)
It always has been for me. Well, correct spelling, anyway :)
BTW, what utilities have you already tried? And what operating system?
-
We will need more information to be able to help you:
- What avast! version and VPS file (virus database) number?
- What was the filename and path where the virus was found?
- Which actions have you taken to try solving the problem?
- Do you use a firewall? Which one?
- Do you have any other antivirus installed in your system?
- Any other security programs that could interfere?
-
OK, Info blast coming....
Running Windows XP SP2
I have run...
Avast 4.7 Home
AdAware
Spybot S&D
Spyware Dr. (Didin't clean anything WITH this, but did find a few things)
a-squared
TrendMicro House call (online scan)
I update the databases prior to each run. I now get pretty much clean scans with every one of these (except for minor things like a few cookies, which I clean EVERY time...). I've also turned off Recovery so the stuff found in there is now clean too. I've even killed processes to try and catch the process sending the emails, with no success. I'm getting tired of the hours it takes to keep scanning, just to find nothing. :|
Anyway, here is the log from HJT:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:36:05 AM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\a-squared Free\a2free.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\HiJackThis\HiJackThis_v2.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
By the way, if you got any unsolicitied spam today,... sorry. :)
-
Btw, here is the original avast log when this thing started showing up...
5/25/2007 3:53:03 AM user 3420 Sign of "Win32:Spyware-gen. [Trj]" has been found in "C:\System Volume Information\_restore{7E60783E-118B-456F-AB3F-AAE256EC9760}\RP383\A0079272.exe" file.
5/24/2007 9:24:09 PM SYSTEM 1676 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\user\LOCALS~1\Temp\ykopgufb.dll" file.
5/24/2007 8:24:50 PM SYSTEM 1696 Sign of "Win32:VBStat-C [Trj]" has been found in "C:\DOCUME~1\user\LOCALS~1\Temp\blkyivrl.dll" file.
5/24/2007 8:16:40 PM SYSTEM 1696 Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Common Files\Yazzle1162OinAdmin.exe\[PECompact]" file.
5/24/2007 8:16:35 PM SYSTEM 1696 Sign of "Win32:Agent-ECD [Trj]" has been found in "http://l.mezzicodec.net/a412/tr.php?m=0&b=779\[PECompact]" file.
5/24/2007 8:16:19 PM SYSTEM 1696 Sign of "Win32:Agent-FDG [Trj]" has been found in "http://l.mezzicodec.net/a412/sv.php?m=0&b=779" file.
5/24/2007 8:15:56 PM SYSTEM 1696 Sign of "Win32:Alphabet [Trj]" has been found in "http://l.mezzicodec.net/a412/de.php?b=779\[PECompact]" file.
5/24/2007 7:52:29 AM user 3884 Sign of "Win32:Spyware-gen. [Trj]" has been found in "C:\Archives\zrnb.exe" file.
5/24/2007 7:11:12 AM SYSTEM 2012 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\b122.exe" file.
5/24/2007 7:10:54 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\tcjlicw.exe\[UPX]" file.
5/24/2007 7:10:53 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NI7QE6X4\rsctda[1].htm\[UPX]" file.
5/24/2007 7:10:50 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\tcjlicw.exe\[UPX]" file.
5/24/2007 7:10:46 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GMBPQ8R9\rsctda[1].htm\[UPX]" file.
5/24/2007 7:10:37 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\tcjlicw.exe\[UPX]" file.
5/24/2007 7:10:34 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NI7QE6X4\rsctda[1].htm\[UPX]" file.
5/24/2007 7:10:30 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\tcjlicw.exe\[UPX]" file.
5/24/2007 7:10:20 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\GMBPQ8R9\rsctda[1].htm\[UPX]" file.
5/24/2007 7:10:17 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\tcjlicw.exe\[UPX]" file.
5/24/2007 7:10:10 AM SYSTEM 2012 Sign of "Win32:Agent-GSA [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\NI7QE6X4\rsctda[1].htm\[UPX]" file.
5/24/2007 7:10:05 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\tbsrqet.exe" file.
5/24/2007 7:09:55 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\spvogojr[1].htm" file.
5/24/2007 7:09:52 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\tbsrqet.exe" file.
5/24/2007 7:09:44 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L0FIYQG0\spvogojr[1].htm" file.
5/24/2007 7:09:41 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\tbsrqet.exe" file.
5/24/2007 7:09:38 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\spvogojr[1].htm" file.
5/24/2007 7:09:33 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\tbsrqet.exe" file.
5/24/2007 7:09:30 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\L0FIYQG0\spvogojr[1].htm" file.
5/24/2007 7:08:56 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\tbsrqet.exe" file.
5/24/2007 7:08:53 AM SYSTEM 2012 Sign of "Win32:Small-ECR [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\spvogojr[1].htm" file.
5/24/2007 7:08:50 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\ecri.exe" file.
5/24/2007 7:08:48 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\T9KZVWIQ\mjaibj[1].htm" file.
5/24/2007 7:08:46 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\ecri.exe" file.
5/24/2007 7:08:43 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\mjaibj[1].htm" file.
5/24/2007 7:08:40 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\ecri.exe" file.
5/24/2007 7:08:38 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\T9KZVWIQ\mjaibj[1].htm" file.
5/24/2007 7:08:35 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\ecri.exe" file.
5/24/2007 7:08:32 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\K9DSY13U\mjaibj[1].htm" file.
5/24/2007 7:08:29 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\ecri.exe" file.
5/24/2007 7:08:27 AM SYSTEM 2012 Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\8HUM3PG9\mjaibj[1].htm" file.
5/24/2007 7:08:06 AM SYSTEM 2012 Sign of "Win32:PurityScan-AF [Trj]" has been found in "C:\Program Files\Common Files\Yazzle1162OinAdmin.exe\[PECompact]" file.
5/24/2007 7:08:01 AM SYSTEM 2012 Sign of "Win32:Agent-ECD [Trj]" has been found in "http://l.mezzicodec.net/a412/tr.php?m=0&b=779\[PECompact]" file.
5/24/2007 7:07:56 AM SYSTEM 2012 Sign of "Win32:Agent-FDG [Trj]" has been found in "http://l.mezzicodec.net/a412/sv.php?m=0&b=779" file.
5/24/2007 7:07:32 AM SYSTEM 2012 Sign of "Win32:Alphabet [Trj]" has been found in "http://l.mezzicodec.net/a412/de.php?b=779\[PECompact]" file.
5/4/2007 6:27:30 AM SYSTEM 136 An error has occured while attempting to update. Please check the logs.
5/4/2007 6:27:28 AM SYSTEM 136 Function setifaceUpdatePackages() has failed. Return code is 0xC0000005, dwRes is C0000005.
3/11/2007 5:24:39 AM SYSTEM 784 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://ftp.osuosl.org/pub/opensuse/distribution/10.2/iso/dvd/openSUSE-10.2-GM-LiveDVD.iso (C:\WINDOWS\TEMP\_avast4_\unp67567245.tmp) returning error, 00000084.
3/10/2007 7:45:28 AM SYSTEM 1896 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://covet.cs.utah.edu/pub/opensuse/distribution/10.2/iso/dvd/openSUSE-10.2-GM-DVD-i386.iso (C:\WINDOWS\TEMP\_avast4_\unp49774713.tmp) returning error, 0000001E.
1/14/2007 10:55:34 AM SYSTEM 2040 Sign of "Win32:Adan-055 [Adw]" has been found in "http://launch.gamespyarcade.com/software/launch/alaunch.cab\gsda.dll" file.
12/25/2006 8:28:43 AM user 2124 Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Archives\ProShow.Gold.v2.5.1614.WinAll.Incl.Keygenerator-TMG.ZIP\crack-inf.exe" file.
-
Hi daronmiller,
Nothing obvious in the log. Try a scan for rootkits (hidden malware):
http://www.pandasoftware.com/products/antirootkit/ (http://www.pandasoftware.com/products/antirootkit/)
Also try AVG Anti-Spyware (Ewido):
http://www.ewido.net/en/ (http://www.ewido.net/en/)
(For spelling I recommend the in-line spell checker with Firefox.)
-
OK, I'm on it. :)
-
I'm not entirely sure about that beta of HijackThis. The log is very short.
After checking for rootkits try Deckard's System Scanner. It will give us a HJT v1.99.1 log plus a little more to work with
Download Deckard's System Scanner (DSS) (http://deckard.geekstogo.com/dss.exe) to your Desktop.- Close all applications and windows.
- Double-click on DSS.exe to run it, and follow the prompts.
- The scan may take a minute. When the scan is complete, a text file will open - Main.txt
Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)
Post the main.txt from the C:\Deckard\System Scanner folder into your next replies - you will need to use multiple posts to fit everything.
You should also get a firewall installed. Here's a link to Comodo
http://www.filehippo.com/download_comodo/
Zone Alarm and PC Tools Firewall are also good.
-
Would agree on the length of the log suspiciously small - Beta means work in progress I would recommend sticking with 1.99 for the moment. Definitely trojans on there possibly the new Vitumondo but not sure yet see what DSS says
-
OK, AVG Found a trojan (trojan.dialer.qn) and cleaned it. I'm running the rootkit scan now. I also ran Avast boot scan, and according to the logs and chest, it found nothing.
The HJT log might be small because I cleaned out a bunch of stuff with it that I felt was safe to remove when I began using it. I HAD run the VundoFix thing when this all started, and it cleaned 8 files, but the email stuff was still going on. So far THIS reboot (since AVG), I'm not seeing any outbound emails. If I get this licked I'm probably going to re-run ALL the scans to validate nothing else is found. Then, I want to find a programmer that works in virus and trojan software and, ummmmm,...THANK Him for all the time I've had to waste scanning and cleaning. I also need to find out if it's illigal in Texas to place a head-on-a-pole in front of your house (in case I FIND that programmer :))
I will try the DSS thing in a bit, but...should I replace the Windows Firewall with Comodo? I do have the firwall turned on with no exceptions, but if Comodo is better I'll install it.
-
The Windows Firewall provides no outbound protection so, once your infected, email, personal data, or whatever can be sent out with no notification at all. Comodo will control this.
Also, please post the VunodFix log when you can, as well as DSS.
-
OK, I should have KNOWN better than to say it was fixed... :(
Anyway, here is the dump from DSS (Part 1):
Deckard's System Scanner v20070426.43
Run by user on 2007-05-26 at 10:35:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
System Restore is disabled; attempting to re-enable...success.
-- Last 1 Restore Point(s) --
1: 2007-05-26 15:35:19 UTC - RP1 - System Checkpoint
Performed disk cleanup.
-- HijackThis (run as user.exe) ------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:38:08 AM, on 5/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\user\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\user.exe
-
...Part 2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; NetGroup - Politecnico di Torino; WinPcap Netgroup Packet Filter Driver>
S3 RivaTuner32 - c:\program files\rivatuner v2.0 final release\rivatuner32.sys
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S2 WMPNetworkSvc (Windows Media Player Network Sharing Service) - "c:\program files\windows media player\wmpnetwk.exe" (file missing)
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>
S4 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>
-- Scheduled Tasks -------------------------------------------------------------
2007-05-25 17:15:00 388 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2007-03-21 06:58:54 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
-
...Part 3
-- Files created between 2007-04-26 and 2007-05-26 -----------------------------
2007-05-26 10:00:25 8704 --a------ C:\WINDOWS\system32\drivers\amathsifvidv.sys
2007-05-25 20:16:02 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-05-25 20:16:02 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-05-25 20:16:02 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-05-25 20:16:02 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-05-25 20:16:02 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-05-25 20:16:02 229376 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-05-25 20:16:02 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-05-25 20:16:02 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-05-25 20:16:02 0 dr-h----- C:\Documents and Settings\Administrator\Local Settings
2007-05-25 20:16:02 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-05-25 20:16:02 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-05-25 20:16:02 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-05-25 20:16:02 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-05-25 20:16:02 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-05-25 18:02:51 0 d-------- C:\HiJackThis
2007-05-25 15:42:13 0 d-------- C:\Program Files\a-squared Free
2007-05-24 21:23:25 0 d-------- C:\VundoFix Backups
2007-05-24 21:09:45 0 d-------- C:\Program Files\Spyware Doctor
2007-05-24 21:09:45 0 d-------- C:\Documents and Settings\user\Application Data\PC Tools
2007-05-24 20:21:57 209526 --a------ C:\WINDOWS\system32\vrsyeutj.exe
2007-05-24 07:10:58 2 --a------ C:\752151790
2007-05-24 07:08:10 1536 --a------ C:\xxxcwainda.exe
2007-05-15 18:56:59 0 d-------- C:\MoTeC
2007-05-15 18:56:57 0 d-------- C:\Program Files\MoTeC
2007-04-27 16:21:03 0 d-------- C:\Program Files\GTR2
-- Find3M Report ---------------------------------------------------------------
2007-05-26 07:29:27 0 d-------- C:\Program Files\WhatsRunning
2007-05-25 21:16:02 0 d-------- C:\Documents and Settings\user\Application Data\wsInspector
2007-05-25 17:34:53 0 d-------- C:\Documents and Settings\user\Application Data\VMware
2007-05-24 19:26:54 0 d-------- C:\Documents and Settings\user\Application Data\Simple Sudoku
2007-05-10 20:03:36 0 d-------- C:\Program Files\Simple Sudoku
2007-04-02 18:11:35 0 d-------- C:\Program Files\EA SPORTS
2007-04-01 22:11:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-03-31 16:18:05 0 d-------- C:\Program Files\Common Files\Logitech
2007-03-31 16:17:57 0 d-------- C:\Program Files\Logitech
-- Registry Dump ---------------------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A00ED310-6EE3-4764-883D-F0B833AEC645}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Auto EPSON Stylus C84 Series on VALUED-ECECF7F4"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2D1.EXE /P47 \"Auto EPSON Stylus C84 Series on VALUED-ECECF7F4\" /O26 \"\\\\VALUED-ECECF7F4\\Printer4\" /M \"Stylus C84\""
"EPSON Stylus C84 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2D1.EXE /P23 \"EPSON Stylus C84 Series\" /O6 \"USB001\" /M \"Stylus C84\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RPCLOCATOR
-- End of Deckard's System Scanner: finished at 2007-05-26 at 10:38:48 ---------
-
And here is the Vudofix scan report....
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 9:23:25 PM 5/24/2007
Listing files found while scanning....
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 10:31:18 PM 5/24/2007
Listing files found while scanning....
c:\windows\fonts\apdb.dll
C:\WINDOWS\system32\gwrhjgcf.dll
C:\WINDOWS\system32\khfgdef.dll
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\qknxywlt.ini
C:\WINDOWS\system32\tlwyxnkq.dll
Beginning removal...
Attempting to delete c:\windows\fonts\apdb.dll
c:\windows\fonts\apdb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gwrhjgcf.dll
C:\WINDOWS\system32\gwrhjgcf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\khfgdef.dll
C:\WINDOWS\system32\khfgdef.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\knnmp.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\pmnnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qknxywlt.ini
C:\WINDOWS\system32\qknxywlt.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\tlwyxnkq.dll
C:\WINDOWS\system32\tlwyxnkq.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\khfgdef.dll
C:\WINDOWS\system32\khfgdef.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 10:49:30 PM 5/24/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.4.1
Checking Java version...
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.11
Scan started at 8:28:06 PM 5/25/2007
Listing files found while scanning....
No infected files were found.
-
Ok, I'm going to go and buy an abacus. Do they make games for those? :)
-
I'm not entirely sure about that beta of HijackThis. The log is very short.
I have been using the beta 2.0 version and even though my system is fairly buttoned down, my log file is larger, it is almost like 1.99 being run from safe mode. If anything the beta lists more things than 1.99.1 does.
So was this beta version of HJT 2.0 run from safe mode ?
-
No, I just ran it within "normal" windows. I have to reboot now to install the comodo firewall. I'll be back.
-
Upload these files to Virus Total (http://www.virustotal.com/en/indexf.html) for analysis and post the results if anything is found:
C:\WINDOWS\system32\drivers\amathsifvidv
C:\WINDOWS\system32\vrsyeutj.exe
C:\752151790
C:\xxxcwainda.exe
-
The xxxcwainda.exe is infected. I added the "xxx" to try and hide it, BUT, more importantly, I can't connect to that site (VirusTotal). HELP!
-
According to Comodo, the file ashMaiSv.exe and svchost appears responsible for all the network traffic (emails). Is it possible one of those is infected? I can't get over how hard it is to track down an application sending email....
-
I found Sophos anti-rootkit very usefull removing some rootkits that other tools couldn't find.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
-
The xxxcwainda.exe is infected. I added the "xxx" to try and hide it, BUT, more importantly, I can't connect to that site (VirusTotal). HELP!
How do you know its infected, and by what?
I can't connect to Virus Total right now either. Same or Jotti. It must be a busy day for them.
According to Comodo, the file ashMaiSv.exe and svchost appears responsible for all the network traffic (emails). Is it possible one of those is infected? I can't get over how hard it is to track down an application sending email....
ashMaiSv.exe is the avast! proxy that scans your email. It will look like this is the source of the problem in the firewall but its actually an underlying process that we haven't identified yet. And its normal for svchost.exe to have some internet access, but constant access is not normal. Please check the spelling and file location for this one - make sure its not something like scvhost.exe with the "v" transposed with the 'c", or SVCH0ST.EXE with numeric "0" where the alpha "o" should be.
Did you install Simple Soduko on 24 May? That date matches the file creation date for some of the suspicious files and also matches many of the detections in the avast! log. It could be this
http://www.pctools.com/mrc/infections/id/Yazzle+Sudoku/
EDIT: Lets get your Java up to date. You can install the latest version here
http://www.java.com/en/download/manual.jsp
Then make sure to uninstall all older version in Add/Remove Programs as the update process will not do this for you.
-
The spelling was correct on the svchost file. The soduku program has been on the PC for a while. The original CAUSE of the infection was my own momentary stupidity in running a file I KNEW i shouldn't have. Actually, there is no more room on my a** for footprints right now as I have been kicking myself for my momentary stupidity.
I will update the Java. All scans from the software I can find show clean, but, every now and then I still see pop-ups from avast scanning outgoing email. I realize that the processes using time may not be the originators, it was just something I noticed on the display. The hard drive appears to be clean (if I can trust the X programs i keep scanning with). And yet...emails get sent. :)
The rest of the PC appears to be functioning OK. Maybe I just have something new, and I will just have to wait till databases get updated and someone finds somthing to remove this?
BTW, ran the rootkit tool, and nothing was found (except a few hidden registry entries). And thanks for letting me know the scan sites aren't working right now. I ... honestly was hoping it was a "second" symptom. :)
Before I GIVE UP... I want to thank EVERYONE who has made suggestions or offered any kind of help or effort in trying to help me. I really appreciate all your efforts, and I hope someday I can be as nice and return the favor to someone else.
Daron
-
I'm beggining to think that maybe a computer virus is just God's way of saying "Hey, been a while since you cleaned up your PC and got rid of all those programs you never use anymore. Maybe you should start over, like when you BOUGHT the PC.".
:)
-
I'm beggining to think that maybe a computer virus is just God's way of saying "Hey, been a while since you cleaned up your PC and got rid of all those programs you never use anymore. Maybe you should start over, like when you BOUGHT the PC.".
:)
Sometimes the penitence for opening/running a 'bad' file is trying to get clean again: you can learn, test, etc.
Reformating is a radical option. Works, but you don't learn. You won't be prepared to avoid such a situation in the future.
Just my 0.01.
-
Before I GIVE UP...
Gosh, you don't look like a quitter :)
Just be patient. Virus Total will be back up in a while. I actually did get their email submission option at one point so it is a matter of being really busy.
In the meantime scan with SuperAntiSpyware (unless you've already tried it)
http://www.superantispyware.com/
Do a complete scan and quarantine at the end. Then post the log that you will find in Preferences> Statistics/Logs.
EDIT: And what is xxxcwainda.exe ?
-
OK folks, here's the latest status.
Still scanning with various programs. Only thing found seems to be suspicious tracking cookies. NOT the cause of the emails I'm sure.
The xxxw... file was originally name cwainda.exe. I don't know what app it was for, and I don't recall what software found it had a virus, but I renamed it to be safe.
I scanned the four files. xxxcwainda.exe was found by 8 scanners to be infected, so it's getting destroyed.
The amathsifvidv.sys was clean, the vrsyeutj.exe file was found infected by 7 scans, so I'm renaming it and then destroying it if all appears ok. The 752151790 file was only suspected by 1 of the scans, so I'm going to guess it's probably safe, though I have NO idea what software it's associated with. I might rename it and see what happens.
So... the hunt continues. :)
-
If any of the files uploaded are confirmed as infected ensure samples are sent to avast if avast doesn't detect them, this will help improve detections for everyone, don't just delete them.
You can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
-
I havn't deleted them yet, though I did rename them. I'll send them soon. Why can't avast mail scanner advise me what application is sending the mail. Wouldn't THAT make this a bit easier to trace.
I renamed/moved the files, rebooted, and emails are still getting sent. )@(#)(@*#)(*@%)(@*#)(@#
-
I havn't deleted them yet, though I did rename them. I'll send them soon. Why can't avast mail scanner advise me what application is sending the mail. Wouldn't THAT make this a bit easier to trace.
Maybe you can add the following line to the [MailScanner] section of <avast>\data\avast4.ini:
Log=20
Then generate some traffic, simulate the problem (i.e. force the avast mail scanner to time out by sending an email with attachment) and then post here the contents of the file <avast>\data\log\aswMaiSv.log
Details: http://forum.avast.com/index.php?topic=12234.msg103474#msg103474
-
I havn't deleted them yet, though I did rename them. I'll send them soon. Why can't avast mail scanner advise me what application is sending the mail. Wouldn't THAT make this a bit easier to trace.
I renamed/moved the files, rebooted, and emails are still getting sent. )@(#)(@*#)(*@%)(@*#)(@#
1. What is your Internet Mail sensitivity, High would be best as that can detect multiple identical emails being sent.
2. Spam being sent isn't infected so won't be detected, avast isn't an anti-spam it won't know if these emails are legit or not. The email scanner doesn't know what email program is sending email as it operates outside any email program and only scans content using the email protocols and ports, 25, 110, 119 and 143.
What is your firewall ?
That should be your first line of defence for blocking unauthorised outbound Internet Connections. Though some firewalls don't provide outbound protection such as XP's firewall.
You could also try TCPview which should show what connections are present.
-
Could you post the scan results for the infected files. There might be clues there.
-
OK, I changed the "Log" entry. I can't generate mail traffic as I don't use any mail clients on this PC. (I use internet mail normally). Although, I suspect the virus will take care of generating traffic (but I doubt there are any attachments).
The virus has to be connecting somewhere to get the subjects/addresses, etc, I just don't know how to trap and find it (or what I would look for).
The mail settings ARE set for high. I just installed comodo firewall (replacing Windows Firewall) at the advice of this thread. If someone can inform me how to stop outbound emails from my PC, I would be thrilled. As I don't use this PC to send mail, I don't see any impact to closing the mail door, and I would feel better by not adding spam to the internet-network (and SOMEONES inbox). So far, I haven't seen any other impacts of this infection.
I have TCP view, but I'm not sure what to look for. Wouldn't the final outbound process for the email be Avast?
I really am tired of spending the whole day waiting on scans to finish. :) I wonder how long it would take me to scan every dll on the PC via TotalVirus. lol
-
You shouldn't have to generate email traffic if as you say something on your system is sending email, if using prot 25 then the Internet Mail will be scanning it (Internet Mail icon should appear when email being scanned) so traffic will be being generated. Check the log file Tech Mentions after some activity.
If you don't use an email client then it will have its own very small SMTP application probably less than 16KB. Sorry I have no personal experience of comodo firewall.
It can get the email addresses sent by the controlling botnet host.
You would have to be fairly quick of the mark when you see the avast Internet Mail icon to run TCPview or have it running but minimised.
You may need to do a before and after check to identify the application, see images.
-
(OK, I know this is dumb...but.....)
I think I might have just found the bug. I used a program called Blacklight to scan for rootkits, and it found a hidden file called xpdt.sys in the system32 directory. I made 2 attempts to clear it (as an internet search led me to believe this was a real-bad file) but blacklight was unable to make the file visible so it could be renamed/deleted.
THEN...I used a program called RustbFix, and it removed the file. Here is it's logfile...
************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Sat 05/26/2007 20:21:18.89
******************* Pre-run Status of system *******************
Rootkit driver xpdt is found. Starting the unload-procedure....
Rustock.b-ADS attached to the System32-folder:
:xpdt.sys 64156
Total size: 64156 bytes.
Attempting to remove ADS...
system32: deleted 64156 bytes in 1 streams.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************************* End of Logfile ********************************
It might be a little early, but I've rebooted twice and ....knock on wood, steel, aluminum, plastic, marshmellow, everything else, so far, no email scans have popped up.
-
(OK, I know this is dumb...but.....)
I think I might have just found the bug.
Not dumb at all. Its a very good find.
I suggest a scan with SuperAntiSpyware (see link on page 2) or AVG AntiSpyware at this point since the root kit may have stealthed a number of files
http://free.grisoft.com/doc/20/lng/us/tpl/v5
Follow this with a fresh HJT log.
-
The dumb part was saying I think i got it, cause of Murphey's Law and all. :0
I will be running scans overnight to try and make myself feel secure that I got it all, but, I'm not seeing anymore outgoing emails (SO FAR!!!!!) Lets hope. (I'll post the HJT log tomorrow.)
Again, thanks to all those who have been helping me.
Daron
-
Finding the root kit is key to solving this. Even if you have other infections now they should be fairly easy to remove.
See you tomorrow...
-
OK All, It appears I am now ROOTKIT FREE! No more email scans. Also rescanned with all available software, and now I find nothing. (Whew!) Here is the HJT Log now...
Logfile of HijackThis v1.99.1
Scan saved at 11:44:29 AM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
Now all thats left is to figure out which detecters to leave operation on a day-to-day basis.
-
The log look fine (still).
If you ran SuperAntispyware or AVG AntiSpyware after finding the root kit, and that came up clean, then you should be good. Those are both worth keeping, by the way.
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer. Save it to your desktop and double-click OTMoveIt.exe to run it, then click the Clean Up button to remove some of the tools (and backups) we've used.
Let's also set a clean System Restore point to finish this up:
1. Click Start>All Programs>Accessories > System tools > System Restore
2. In the dialog box that appears Click in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a name you will remeber if you need to find this again (like Clean Point)
5. Click CREATE
You now have a clean restore point. Now, to get rid of the bad ones:
1. Click Start>All Programs>Accessories > System tools > Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button
EDIT: These two infected files that you renamed, xxxcwainda.exe and vrsyeutj.exe, should probably alos be deleted.