Jacee help with HJT Log Please
-
ok jacee heres the mbam log, however looking back i do have an external drive that was not powered up and excluded from the scan, should power it up and rescan?
EDIT: that was a dumb question, of course i need to rescan, ill post the results of the rescan instead.
-
-
Jacee, you work/help at Bleeping Computers forum as well?
-
Jacee, you work/help at Bleeping Computers forum as well?
Yes .. I'm a "HJT Coach/teacher" there
-
-
ok jacee heres the mbam log, however looking back i do have an external drive that was not powered up and excluded from the scan, should power it up and rescan?
EDIT: that was a dumb question, of course i need to rescan, ill post the results of the rescan instead.
Please post the log from MBam ...
You may have an infected flash drive (or?) that's keeping this vundo infection alive. We can deal with that one a bit later.
-
ok here is the first one with the external drive off
Malwarebytes' Anti-Malware 1.36
Database version: 2040
Windows 5.1.2600 Service Pack 2
4/25/2009 5:02:00 PM
mbam-log-2009-04-25 (17-02-00).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 171576
Time elapsed: 1 hour(s), 37 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 41
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\NetworkService32 (Worm.Archive) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\instsp1.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\55.tmp (Worm.P2P) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\79.tmp (Worm.P2P) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\90.tmp (Worm.P2P) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifcCvvt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\otbfoqif.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ewgbjtvd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmzykc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rymqrk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJDTJBS.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mndnwp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwadqn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hwmduo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aitaqaer.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xjhkfjwg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vrdpokqt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kqrsywfy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kyrxjjgv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\PROGS\CD + DVD BURNING\Nero Ultra 8.3.6.0 + Keygen (halofubar)\Nero 8 Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\PROGS\GRAPHICS\ACDSee v9 Photo Manager Incl Keymaker CORE\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\117.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\117.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\118.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\118.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\119.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\119.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\120.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\120.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\121.music.mp3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\121.music.mp3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\122.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\122.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\123.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\123.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\124.video.wmv (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\124.video.wmv.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NetworkService32\78.tmp (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMccYRj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRJBQjJ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
here is the second with it on
Malwarebytes' Anti-Malware 1.36
Database version: 2040
Windows 5.1.2600 Service Pack 2
4/25/2009 8:12:59 PM
mbam-log-2009-04-25 (20-12-59).txt
Scan type: Full Scan (C:\|D:\|E:\|H:\|)
Objects scanned: 172518
Time elapsed: 2 hour(s), 45 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Yes .. I'm a "HJT Coach/teacher" there
Thought so by the directions you were providing.
-
-
Most excellent jblade!
Now,
remove ComboFix
Go to Start---> Run Command ---> In the space provided, type ComboFix /u and press the Enter Key.
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
- When shown the disclaimer, Select "2"
The above procedure will:
- ComboFix and its associated files and folders.
Next,
Download ComboFix once again and follow my instructions above posting the ComboFix.txt and fresh
HJT log taken after the above scan has run
-
[quote=Jacee;78484]Most excellent jblade!
Now,
remove ComboFix
Go to Start---> Run Command ---> In the space provided, type ComboFix /u and press the Enter Key.
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
i got here but combofix tried to run again, and it warned that avast would interfere.
should i just uninstal via cp?
-
Look at the instructions once again, then select "2" at the disclaimer :)
-
I don't have Avast, so if you can set it to 'ignore' or exit it for the moment, then do do so. We're moving all the bad files out, and we don't want to keep any of them on the machine.
Also, do not use any of your P2P applications! (the cause of your infection)