H8SRTD trojan

View previous topic View next topic Go down

H8SRTD trojan

Post by bevomom on Wed Jan 27, 2010 7:23 pm

I have it and it's bad. What a nasty little thing this is. I thought I just had the Malaware Defender pop up, but Malaware Bytes seems to have cleaned that up. Root repeal shows H8srtd. No idea where to go from here, so I'm seeking advice from the experts. Thanks for all you guys do.

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by Belahzur on Wed Jan 27, 2010 8:32 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Thu Jan 28, 2010 1:13 am

After running for several hours it froze. I will reboot in safe mode and try again. grrr

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Thu Jan 28, 2010 6:15 am

Woot, there it is... Thanks a ton for taking this on.

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-27 23:56:34
Windows 5.1.2600 Service Pack 2
Running: 04r1ns1u.exe; Driver: C:\DOCUME~1\BEVERL~1\LOCALS~1\Temp\pxtdapod.sys


---- System - GMER 1.0.15 ----

Code 8A84F170 ZwEnumerateKey
Code 8A93CB80 ZwFlushInstructionCache
Code 8A853156 IofCallDriver
Code 8A82E416 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTeppuwoodpt.sys (*** hȋdden *** ) BAC49000-BAC65000 (114688 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTvaiekixnhi.dll (*** hȋdden *** ) @ C:\WINDOWS\system32\winlogon.exe [620] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTvaiekixnhi.dll (*** hȋdden *** ) @ C:\WINDOWS\system32\svchost.exe [936] 0x006F0000
Library \\?\globalroot\systemroot\system32\H8SRTvaiekixnhi.dll (*** hȋdden *** ) @ C:\WINDOWS\System32\svchost.exe [1104] 0x006F0000
Library \\?\globalroot\systemroot\system32\H8SRTvaiekixnhi.dll (*** hȋdden *** ) @ C:\WINDOWS\System32\svchost.exe [1144] 0x006F0000
Library \\?\globalroot\systemroot\system32\H8SRTvaiekixnhi.dll (*** hȋdden *** ) @ C:\WINDOWS\System32\svchost.exe [1256] 0x006F0000
Library \\?\globalroot\systemroot\system32\H8SRTvaiekixnhi.dll (*** hȋdden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [1656] 0x00C70000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTeppuwoodpt.sys (*** hȋdden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuwoodpt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuwoodpt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTjnjcyepunv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTveodvjitfj.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTixokrqpklj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTvaiekixnhi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTgwsgyiwlwt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTeppuwoodpt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTeppuwoodpt.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTjnjcyepunv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTveodvjitfj.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTixokrqpklj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtmsg \\?\globalroot\systemroot\system32\H8SRTvaiekixnhi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTgwsgyiwlwt.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll 1014 bytes
File C:\Documents and Settings\All Users\Application Data\h8srtmainqt.dll 16723 bytes
File C:\Documents and Settings\Beverly R\Local Settings\Temp\H8SRT81e7.tmp 343040 bytes executable
File C:\Documents and Settings\Beverly R\Local Settings\Temp\h8srtmainqt.dll 16431 bytes
File C:\WINDOWS\SYSTEM32\H8SRTgwsgyiwlwt.dll 40960 bytes executable
File C:\WINDOWS\SYSTEM32\H8SRTixokrqpklj.dll 40960 bytes executable
File C:\WINDOWS\SYSTEM32\H8SRTjnjcyepunv.dll 23040 bytes executable
File C:\WINDOWS\SYSTEM32\h8srtkrl32mainweq.dll 765 bytes
File C:\WINDOWS\SYSTEM32\h8srtshsyst.dll 1572 bytes
File C:\WINDOWS\SYSTEM32\H8SRTvaiekixnhi.dll 19456 bytes executable
File C:\WINDOWS\SYSTEM32\H8SRTveodvjitfj.dat 247 bytes
File C:\WINDOWS\SYSTEM32\DRIVERS\H8SRTeppuwoodpt.sys 40448 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\Temp\H8SRTa22b.tmp 243 bytes
File C:\WINDOWS\Temp\H8SRTa25a.tmp 247 bytes
File C:\WINDOWS\Temp\H8SRTa2f6.tmp 249 bytes
File C:\WINDOWS\Temp\H8SRTa558.tmp 174 bytes
File C:\WINDOWS\Temp\H8SRTe6f5.tmp 238 bytes
File C:\WINDOWS\Temp\H8SRTe908.tmp 40960 bytes executable
File C:\WINDOWS\Temp\H8SRTeabd.tmp 40960 bytes executable

---- EOF - GMER 1.0.15 ----

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by Belahzur on Thu Jan 28, 2010 5:44 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
H8SRTd.sys

Files to delete:
C:\WINDOWS\system32\drivers\H8SRTeppuwoodpt.sys
C:\WINDOWS\system32\H8SRTvaiekixnhi.dll
C:\WINDOWS\SYSTEM32\H8SRTgwsgyiwlwt.dll
C:\WINDOWS\SYSTEM32\H8SRTixokrqpklj.dll
C:\WINDOWS\SYSTEM32\H8SRTjnjcyepunv.dll
C:\WINDOWS\SYSTEM32\h8srtkrl32mainweq.dll
C:\WINDOWS\SYSTEM32\h8srtshsyst.dll
C:\WINDOWS\SYSTEM32\H8SRTveodvjitfj.dat

Registry keys to delete:
HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys
HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Thu Jan 28, 2010 5:52 pm

Thank you! I'm going to assume this will work in safe mode and try it there. I'll get started on that file now.

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Thu Jan 28, 2010 6:57 pm

Ok this is the first time my pc would boot in normal mode in over a week. That has to be a good sign Open Grin And Internet Explorer wasn't auto launching in processes either, so yay for that. I did still notice a svchost error at startup, which I've seen in the past. The only way I've found to get it off my screen is thru task manager. Not sure if that is H8srtd related or not.

In any event, here's the Avenger log:

===============

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

hȋdden driver "H8SRTd.sys" found!
ImagePath: \systemroot\system32\drivers\H8SRTeppuwoodpt.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "H8SRTd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\H8SRTeppuwoodpt.sys" deleted successfully.
File "C:\WINDOWS\system32\H8SRTvaiekixnhi.dll" deleted successfully.
File "C:\WINDOWS\SYSTEM32\H8SRTgwsgyiwlwt.dll" deleted successfully.
File "C:\WINDOWS\SYSTEM32\H8SRTixokrqpklj.dll" deleted successfully.
File "C:\WINDOWS\SYSTEM32\H8SRTjnjcyepunv.dll" deleted successfully.
File "C:\WINDOWS\SYSTEM32\h8srtkrl32mainweq.dll" deleted successfully.
File "C:\WINDOWS\SYSTEM32\h8srtshsyst.dll" deleted successfully.
File "C:\WINDOWS\SYSTEM32\H8SRTveodvjitfj.dat" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by Belahzur on Fri Jan 29, 2010 12:12 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Fri Jan 29, 2010 3:04 am

I'm still getting the Service Host error, but the pc is booting in to normal windows mode successfully. The error says this in a little box:
To help protect your computer, windows has closed this program.
Name: Generic Host Process for Win32 Services
Publisher: Microsoft Corp


Here's the MBAM log:

========

Malwarebytes' Anti-Malware 1.44
Database version: 3654
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/28/2010 8:55:17 PM
mbam-log-2010-01-28 (20-55-17).txt

Scan type: Quick Scan
Objects scanned: 152268
Time elapsed: 9 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Beverly R\Local Settings\Application Data\av.exe (ROGUE.Win7Antispyware2010) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRTa22b.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRTa2f6.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRTa558.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRTe6f5.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRTe908.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRTeabd.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Beverly R\Local Settings\Temp\H8SRT81e7.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll (Rootkit.Trace) -> Quarantined and deleted successfully.

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by Belahzur on Fri Jan 29, 2010 5:40 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Fri Jan 29, 2010 7:13 pm

Belahzur, thank you for your continued help. The two logs you requested are in two posts.

#1) Attach.txt - tbh there's a few there I dont recognize.
====================

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/19/2003 9:23:15 PM
System Uptime: 1/29/2010 3:16:28 AM (10 hours ago)

Motherboard: Dell Computer Corp. | | 0N2828
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

==== Disk Partitions =========================


==== Installed Programs ======================

2600
2600_Help
2600Trb
Acrophobia
Ad-Aware
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe PageMaker 6.5
Adobe Reader 7.0.8
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AiO_Scan
AiOSoftware
Amazon MP3 Downloader 1.0.3
America Online (Choose which version to remove)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AstroPop Deluxe 1.0
Audacity 1.2.3
Banctec Service Agreement
BattleNav
Battleship
BCM V.92 56K Modem
Big Fish Games Client
BlackBerry Desktop Software 4.3
Bonjour
BufferChm
Build-a-lot 3 - Passport to Europe
Caesar 3
Cake Mania
Cake Mania 3
Cake Mania(TM) 3
Camfrog Video Chat 5.3
Camtasia Studio 5
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Chocolatier (remove only)
Chocolatier + Together
Chocolatier(R) - Decadence by Design(TM)
Compatibility Pack for the 2007 Office system
Copy
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Delicious Deluxe
Dell Digital Jukebox Driver
Dell Media Experience
Dell Networking Guide
Dell Solution Center
DellSupport
Destinations
Diner Dash (remove only)
Diner Dash 2
Diner Dash®: Flo on the Go
Director
DocProc
DocumentViewer
DS21Patch
DVDSentry
e-Watch Camera Viewer
EPSON Printer Software
Farm Frenzy
Farm Frenzy 2
Fax
Fix-it-Up - Kate's Adventure
GCPP Knightfish
Google Earth
Help and Support Customization
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Diagnostic Assistant
HP Image Zone 4.2
HP Photosmart 2600 series
HP PSC & OfficeJet 4.2
HP Software Update
HPSystemDiagnostics
HyperCam 2
Ink Monitor
InstantShare
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Internet Explorer Default Page
Internet Explorer Q903235
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 17
Java(TM) 6 Update 7
jetAudio
Lavender's Botanicals
LimeWire 4.16.7
LiveReg (Symantec Corporation)
Logitech MouseWare 9.41 .1
Logitech QuickCam
Logitech User's Guide
Malwarebytes' Anti-Malware
ManyCam 2.3 (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Live Add-in 1.3
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Media Video 9 VCM
Microsoft Works 6-9 Converter
Modem Helper
MoodLogic
Mortimer Beckett and the Time Paradox
Mozilla Firefox (3.0.17)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MUSICMATCH® Jukebox
Mystery P.I.(TM) - The New York Fortune
Norton Security Scan
NVIDIA Drivers
Overland
PhotoGallery
Pirate Commodity Trader
PowerDVD
PrintScreen
ProductContext
Puzzle Pirates
Puzzle Pirates Test
QFolder
QuickBooks Pro 99
QuickProjects
QuickTime
QuickTime for Windows (32-bit)
Ranch Rush
Readme
RealArcade
RealPlayer
Rhapsody Player Engine
Rio Music Manager
Roxio Media Manager
Sagashi
Sally's Spa
Sandlot Games Client Services
Sandlot Games Client Services 1.2.2
Scan
ScreenCam Demo
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Segoe UI
Shopping Blocks
Sierra Utilities
SkinsHP1
Skype™ 3.5
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SONICblue Real Service Providers
Spybot - Search & Destroy
TeamSpeak 2 RC2
TestDrive Client
The Great Chocolate Chase
The Wonderful Icon
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Ventrilo Client
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Wisdom-soft ScreenHunter 4.0 Free
Write Me a Memory Font CD
X Codec Pack
Yahoo! Messenger

==== End Of File ===========================

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Fri Jan 29, 2010 7:16 pm

#2) DDS
=========


DDS (Ver_09-12-01.01) - NTFSx86
Run by Beverly R at 13:01:45.01 on Fri 01/29/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.2092 [GMT -6:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe -k getPlusHelper
C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer\setup.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\wlcsdk.exe
C:\Documents and Settings\Beverly R\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: AutorunsDisabled - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {35b68ee2-fa8b-4926-bfb7-08bef0129c0f} - c:\windows\system32\yayyvVLb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: YExplorer1_8US.CAB - [You must be registered and logged in to see this link.]
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - [You must be registered and logged in to see this link.]
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - [You must be registered and logged in to see this link.]
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yayyvVLb
Hosts: 192.168.1.2 HP000D9D0A3F63

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\beverl~1\applic~1\mozilla\firefox\profiles\c4us2u5p.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Beverly R\application data\mozilla\firefox\profiles\c4us2u5p.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\np32dsw.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S0 fkwkeh;fkwkeh;c:\windows\system32\drivers\wecpy.sys --> c:\windows\system32\drivers\wecpy.sys [?]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [2005-3-15 116448]
S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [2003-12-19 19968]

=============== Created Last 30 ================

2010-01-26 02:46:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-22 16:28:11 16700 ----a-w- c:\docume~1\alluse~1\applic~1\h8srtmainqt.dll
2010-01-22 06:10:28 0 ----a-w- c:\documents and settings\Beverly R\settings.dat
2010-01-19 19:59:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-19 17:29:09 0 d-----w- c:\docume~1\beverl~1\applic~1\Malwarebytes
2010-01-19 17:22:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 17:22:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 17:22:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 16:04:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-12-16 12:57:07 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-12-08 09:13:51 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-11-21 16:36:13 470528 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2008-04-06 22:39:00 0 ----a-w- c:\program files\temp01
2008-01-22 18:22:41 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-10-06 08:53:54 11017481 ----a-w- c:\program files\Burger Shop.exe
2005-03-15 19:43:11 97 -c--a-w- c:\program files\clean up.bat
2008-04-27 17:29:40 536301 --sha-w- c:\windows\system32\bLVvyyay.ini2
2008-04-25 02:19:11 429741 --sha-w- c:\windows\system32\dgjiQqss.ini2

============= FINISH: 13:02:22.29 ===============

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by Belahzur on Sat Jan 30, 2010 4:45 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\docume~1\alluse~1\applic~1\h8srtmainqt.dll
    c:\documents and settings\Beverly R\settings.dat
    c:\windows\system32\bLVvyyay.ini2
    c:\windows\system32\dgjiQqss.ini2

    Driver::
    fkwkeh

    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Sun Jan 31, 2010 11:29 pm

Hi Belahzur,

I downloaded Combofix and ran it. It was missing the MS recovery console so I ok'd it to download/install it, then clicked Yes for it to continue scanning. I left the PC for a while and when I returned it had returned to the Windows log in screen. I logged in and got the hairy, scary blue screen with the "physical memory dump" error. I did a hard reboot and logged in to Windows with no trouble, and the startup Svchost.exe error which has been there FOREVER, is now gone. Yay! So I'm assuming Combofix did something, but there is no log I can find. Nothing was on the screen when I did the restart, and there is no .txt file on my desktop or in the folder where i saved combofix.exe. I'll run Combofix again and post back.

FYI - The primary error on the blue screen was 0x000000F7 which after some researching, I found it relates to a "DRIVER_OVERRAN_STACK_BUFFER" (whatever that is).

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Sun Jan 31, 2010 11:38 pm

Before I ran it the second time (see above), I decided to do a c:\ search and think I found it. Still not sure about that error tho. Hope this is what you're looking for. Let me know if I need to run it again.

==========
ComboFix 10-01-30.07 - Beverly R 01/31/2010 13:21:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.2135 [GMT -6:00]
Running from: C:\Documents and Settings\Beverly R\Desktop\PC Fixes\ComboFix.exe
Command switches used :: C:\Documents and Settings\Beverly R\Desktop\PC Fixes\CFScript.txt

FILE ::
"c:\docume~1\alluse~1\applic~1\h8srtmainqt.dll"
"c:\documents and settings\Beverly R\settings.dat"
"c:\windows\system32\bLVvyyay.ini2"
"c:\windows\system32\dgjiQqss.ini2"

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by Belahzur on Mon Feb 01, 2010 12:41 am

Hello.

Combofix still did what was needed.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Tue Feb 02, 2010 4:15 pm

I've uninstalled ComboFix and my PC is running a lot smoother. Any other recommendations? Is my computer safe now for things like online banking?

Thank you again for the great support.

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by Belahzur on Tue Feb 02, 2010 7:15 pm

Lets do an online scan.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Wed Feb 03, 2010 12:24 am

Doesn't look good... Virtumonde?

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0ebd953081a1434fb2f6153e612760d2
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-02 11:38:33
# local_time=2010-02-02 05:38:33 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=132668
# found=9
# cleaned=0
# scan_time=4328
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000018.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000019.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000020.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000021.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000022.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000023.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000024.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000025.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000026.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by Belahzur on Wed Feb 03, 2010 1:04 am

Hello.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Thu Feb 04, 2010 7:10 pm

Thanks for your suggestions. I run AdAware and S&D, and now have Avast. Will those 3 things combined remove the virtumonde or should we do another run of combofix?

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by Belahzur on Thu Feb 04, 2010 8:55 pm

Is the infection still active? the logs looks good, and ESET would of found something else other than restore points.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: H8SRTD trojan

Post by bevomom on Thu Feb 04, 2010 10:46 pm

Ohhh! I just saw "Virtumonde" on the ESET log and thought i had an infection. I didn't realize it was just logging old restore points. You're the best and thanks again for everything. You guys are amazing.

bevomom
Novice
Novice

Posts Posts : 16
Joined Joined : 2010-01-19
OS OS : win xp
Points Points : 25346
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum