Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infection with Trojan Vundo

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infection with Trojan Vundo

Unread postby Charlet » June 7th, 2008, 6:08 am

Hello,

I have a computer equipped with Windows XP Pro and McAfee VirusScan. It got infected with viruses, including Vundo. Symptoms were: considerable slow down of the computer, Windows closing randomly, sudden adds appearing with Internet Explorer. Mc Afee indicated the automatic program update had been deactivated.

I have tried several solutions: VundoFixer, Spyboot search&destroy, but without solving the problem and it was still impossible to reactivate the automatic program update through program regedit in the Service managing software.

Lately I found Malwarebites-Antimalware, which detected 25 files infected, with Trojan Vundo, Downloader and another with a long name. Malwarebites has solved most of the problem except it keeps identifying Trojan Vundoo in a Key register named HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR. When being asked to do so, Malwarebites indicates it has destroyed Vundo, but the entry comes back again when a new scan is performed. The same happens when the MSSMGR file is deleted manually.

Please tell me what to do so I get rid of this virus.
Thanks in advance - Charlet
(This message is sent from my home PC, which is not the one infected)
Charlet
Active Member
 
Posts: 11
Joined: June 6th, 2008, 11:24 am
Advertisement
Register to Remove

Re: Infection with Trojan Vundo

Unread postby Scotty » June 7th, 2008, 6:44 am

Hi

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. For Vista users, right-click DSS and select Run As Administrator
  4. If asked to install HijackThis click on Yes
  5. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  6. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your next reply
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Infection with Trojan Vundo

Unread postby Charlet » June 9th, 2008, 6:29 am

This is the main .txt file
Deckard's System Scanner v20071014.68
Run by Charlet de Sauvage on 2008-06-09 12:17:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
26: 2008-06-09 10:17:41 UTC - RP563 - Deckard's System Scanner Restore Point
25: 2008-06-06 09:13:59 UTC - RP562 - Point de vérification système
24: 2008-06-04 14:28:23 UTC - RP561 - Software Distribution Service 3.0
23: 2008-06-04 11:53:19 UTC - RP560 - Software Distribution Service 3.0
22: 2008-06-03 16:18:03 UTC - RP559 - Point de vérification système


-- First Restore Point --
1: 2008-05-27 13:00:30 UTC - RP538 - Point de vérification système


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-09 12:20:55
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Network Associates\VirusScan\shstat.exe
C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\Dispatcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\Netscape\Netscape Browser\Netscp.exe
C:\Documents and Settings\Charlet de Sauvage\Bureau\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://recherche.enscpb.fr/piom/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/fr/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02B9CB8C-4FAC-498F-8D79-D140C515E526} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {21385345-F60F-4675-B8C8-1918D62FFB06} - (no file)
O2 - BHO: (no name) - {2776A47C-710A-41F7-924F-E9E010C3EB50} - (no file)
O2 - BHO: (no name) - {4E48ED95-DC2F-498A-BF39-33E99BC08F7B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {791B800F-B7DE-422F-A3E2-0832C8EA4485} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Dimension4] D:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [Dispatcher] C:\WINDOWS\dispatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NetTime] D:\NetTime\NetTime.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orange Desktop Search] "C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape Browser\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Assistant d'Acrobat.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh ... wflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player ... taller.exe
O17 - HKLM\Software\..\Telephony: DomainName = enscpb.fr
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = enscpb.fr
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = enscpb.fr
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Fichiers communs\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: winmyy32 - C:\WINDOWS\system32\winmyy32.dll
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


--
End of file - 9104 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R2 HPHIPA - c:\windows\system32\drivers\hphipa.sys
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (Service Framework McAfee) - d:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "d:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-09 10:58:37 592 --a------ C:\WINDOWS\Tasks\Microsoft Office Outlook 2003.job


-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-06 14:22:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware1
2008-06-03 17:38:48 125952 -----n--- C:\WINDOWS\system32\gwhfumxw.dll
2008-06-03 16:59:52 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-03 16:08:21 0 d-------- C:\Documents and Settings\Charlet de Sauvage\Application Data\Malwarebytes
2008-06-03 16:07:59 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-03 16:07:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 15:40:26 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-03 13:43:45 0 --a------ C:\WINDOWS\system32\aiwmjcfn.dll
2008-06-03 13:40:56 0 --a------ C:\WINDOWS\system32\auhwyjip.dll
2008-06-02 16:36:27 0 d-------- C:\quarantine
2008-06-02 16:27:11 0 d-------- C:\VundoFix Backups
2008-06-02 13:40:27 0 --a------ C:\WINDOWS\system32\rbvlnfha.dll
2008-05-28 16:43:03 0 d-------- C:\Documents and Settings\Charlet de Sauvage\Application Data\Mozilla
2008-05-27 14:57:55 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-26 13:29:23 373074 --ahs---- C:\WINDOWS\system32\rXxFffhk.ini2
2008-05-26 13:23:21 31744 --a------ C:\WINDOWS\system32\winmyy32.dll
2008-05-26 11:56:07 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-26 10:33:18 0 d-------- C:\ENCORE4
2008-05-21 15:42:30 0 d-------- C:\Documents and Settings\Charlet de Sauvage\.brainvisa
2008-05-21 14:56:29 0 d-------- C:\Program Files\Virtools


-- Find3M Report ---------------------------------------------------------------

2008-06-04 16:34:21 522414 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-06-04 16:34:21 93242 --a------ C:\WINDOWS\system32\perfc00C.dat
2008-05-26 11:59:00 2528 --a------ C:\Documents and Settings\Charlet de Sauvage\Application Data\$_hpcst$.hpc
2008-05-21 16:15:35 0 d--h----- C:\Program Files\WindowsUpdate
2008-05-07 15:19:52 0 d-------- C:\Program Files\WS_FTP
2008-04-24 17:06:39 0 d-------- C:\Documents and Settings\Charlet de Sauvage\Application Data\AdobeUM
2008-04-22 18:01:52 0 d-------- C:\Program Files\PROTEUS
2008-04-16 14:34:27 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02B9CB8C-4FAC-498F-8D79-D140C515E526}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21385345-F60F-4675-B8C8-1918D62FFB06}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2776A47C-710A-41F7-924F-E9E010C3EB50}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E48ED95-DC2F-498A-BF39-33E99BC08F7B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{791B800F-B7DE-422F-A3E2-0832C8EA4485}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [17/12/2003 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"DrvListnr"="C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [11/03/2002 14:28]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [11/03/2002 14:20]
"McAfeeUpdaterUI"="D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [06/08/2004 04:50]
"ShStatEXE"="D:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 21:00]
"Network Associates Error Reporting Service"="C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe" [07/10/2003 10:48]
"Dimension4"="D:\Program Files\D4\D4.exe" []
"Dispatcher"="C:\WINDOWS\dispatcher.exe" [15/02/2007 11:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [26/04/2002 19:53]
"NetTime"="D:\NetTime\NetTime.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [20/08/2004 01:09]
"Orange Desktop Search"="C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" [17/01/2007 16:10]
"Mozilla Quick Launch"="d:\Program Files\Netscape\Netscape Browser\Netscp.exe" [08/02/2003 10:50]
"AdobeUpdater"="C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

C:\Documents and Settings\All Users.WINDOWS\Menu D‚marrer\Programmes\D‚marrage\
Assistant d'Acrobat.lnk - D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 01:19:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 10:01:04]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [06/08/2000 02:03:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\Eudora\EuShlExt.dll [17/08/2006 15:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winmyy32]
winmyy32.dll 26/05/2008 13:23 31744 C:\WINDOWS\system32\winmyy32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1267ed8a-6776-11dc-b36d-000423320f58}]
Auto\command- AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e




-- Hosts -----------------------------------------------------------------------

127.0.0.1 http://www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 http://www.008k.com
127.0.0.1 008k.com
127.0.0.1 http://www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 http://www.032439.com
127.0.0.1 032439.com

8554 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-09 12:22:55 ------------

and this is the extra.txt file
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professionnel (build 2600) SP 2.0
Architecture: X86; Language: French

CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 759.48 MiB / 151.95 MiB
Pagefile Memory (total/avail): 2218.25 MiB / 1749.81 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.17 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 9.77 GiB total, 1.86 GiB free.
D: is Fixed (NTFS) - 27.49 GiB total, 7.69 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST340016A - 37.25 GiB - 2 partitions
\PARTITION0 (bootable) - Système de fichiers installable - 9.77 GiB - C:
\PARTITION1 - Étendu avec Inter. 13 étendue - 27.49 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"D:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="D:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"D:\\Program Files\\D4\\D4.exe"="D:\\Program Files\\D4\\D4.exe:*:Disabled:Dimension 4"
"D:\\Program Files\\FileZilla\\FileZilla.exe"="D:\\Program Files\\FileZilla\\FileZilla.exe:*:Enabled:FileZilla"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Disabled:SmartFTP Client 2.0"
"C:\\Program Files\\Comet Assay IV\\Comet4.exe"="C:\\Program Files\\Comet Assay IV\\Comet4.exe:*:Enabled:Comet Assay IV Demo"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\SETUP.EXE"="F:\\SETUP.EXE:*:Enabled:Setup"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:Logiciel de transfert de fichiers"
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"="C:\\Program Files\\WS_FTP\\WS_FTP95.exe:*:Enabled:WS_FTP 95"
"C:\\WINDOWS\\system32\\winver.exe"="C:\\WINDOWS\\system32\\winver.exe:*:Enabled:winver"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Charlet de Sauvage\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Fichiers communs
COMPUTERNAME=SODIUM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Charlet de Sauvage
LOGONSERVER=\\SODIUM
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Bitvise Tunnelier
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp
USERDOMAIN=SODIUM
USERNAME=Charlet de Sauvage
USERPROFILE=C:\Documents and Settings\Charlet de Sauvage
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Charlet de Sauvage (admin)
ASPNET (new local)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E518B2-B174-11D3-9D4E-0060B0A4823E}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUN040C.EXE -f"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Acrobat 6.0 Professional - English, Français, Deutsch --> MsiExec.exe /I{AC76BA86-1033-F400-7760-000000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Barre d'outils MSN --> C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\mtbs.exe c
burnatonce --> "D:\Program Files\burnatonce\unins000.exe"
Color LaserJet 2600n --> C:\Program Files\Zenographics\{B2702CB6-70D5-48BE-9C76-4B835CFCFF63}\setup.exe -u "HPCLJKCInstaller.dll=CLJ2600.INF"
Compaq 5500 INF and ICM software --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F057CFA-0DD5-4EE1-81FC-6C9BBD78ED49}\Setup.exe" -l0x40c
Compel Adaptec WinASPI --> "d:\Program Files\WinASPI\unins000.exe"
Correctif pour Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Correctif Windows XP - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Correctif Windows XP - KB885250 --> C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Correctif Windows XP - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Correctif Windows XP - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Correctif Windows XP - KB885884 --> C:\WINDOWS\$NtUninstallKB885884$\spuninst\spuninst.exe
Correctif Windows XP - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Correctif Windows XP - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Correctif Windows XP - KB887742 --> C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Correctif Windows XP - KB888113 --> C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Correctif Windows XP - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Correctif Windows XP - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Correctif Windows XP - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
Eudora --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B6B92FFF-C0A3-48B0-8548-DBF6250EBA53}\setup.exe" -l0x9
Intel(R) 845G Chipset Graphics Driver Software --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Logitech MouseWare 9.79.1 --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\Setup.exe" -l0x40c -l040c UNINSTALL
LTspice/SwCADIII --> C:\Program Files\LTC\SwCADIII\scad3.exe -uninstall
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware1\unins000.exe"
McAfee VirusScan Enterprise --> MsiExec.exe /I{4DCA2739-9D16-4B55-808C-E72CD70A5BD3}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{9011040C-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Professional avec FrontPage --> MsiExec.exe /I{9028040C-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server Desktop Engine --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Mise à jour de sécurité pour Lecteur Windows Media (KB911564) --> "C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media 10 (KB911565) --> "C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media 10 (KB917734) --> "C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media 10 (KB936782) --> "C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media 6.4 (KB925398) --> "C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB893066) --> "C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB896422) --> "C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB899589) --> "C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB905915) --> "C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB912812) --> "C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB913446) --> "C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB916281) --> "C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB917159) --> "C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB917537) --> "C:\WINDOWS\$NtUninstallKB917537$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB918899) --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB922760) --> "C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB939373) --> "C:\WINDOWS\$NtUninstallKB939373$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB942830) --> "C:\WINDOWS\$NtUninstallKB942830$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB942831) --> "C:\WINDOWS\$NtUninstallKB942831$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB948881) --> "C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB950749) --> "C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB932823-v3) --> "C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.5 --> MsiExec.exe /I{BAFD3C1E-03EC-11DA-BFBD-00065BBDC0B5}
Netscape (7.02) --> C:\WINDOWS\NSUninst.exe /ua "7.02 (fr)"
Orange Desktop Search --> C:\Program Files\Orange HSS\Orange Desktop Search\uninst.exe
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
PowerArchiver --> C:\Program Files\PowerArchiver\UNINST.EXE
Protel 99 SE --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{498EE1A0-971C-11D3-A365-0080C8D7EFAF}\setup.exe"
Protel 99 SE Service Pack 6 --> D:\PROGRA~1\protel99\DESIGN~1\System\UNINST~1\SERVIC~1\UNWISE.EXE /R D:\PROGRA~1\protel99\DESIGN~1\System\UNINST~1\SERVIC~1\INSTALL.LOG
Real Alternative 1.46 --> "d:\Program Files\Real Alternative\unins000.exe"
SmartFTP Client Setup Files 2.0 (x64) (remove only) --> "D:\Program Files\SmartFTP Client 2.0 (x64) Setup Files\uninst-sftp.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.EXE"
Tuner --> C:\Program Files\Microsoft ActiveSync\Tuner\Uninstall.exe Tuner
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Virtools 3D Life Player --> C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
x264 Revision 305 x264.nl (remove only) --> "d:\Program Files\x264\x264-uninstall.exe"
XnView 1.82.4 --> "D:\Program Files\XnView\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type18114 / Warning
Event Submitted/Written: 06/09/2008 00:22:31 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Serait bloqué par une règle de blocage de comportement (la règle est actuellement en mode avertissement) (mode avertissement uniquement !).(ordinateur source SODIUM, adresse IP 172.20.11.82, utilisateur SYSTEM, exécution de VirusScan Enter 8.0 - OAS)

Event Record #/Type18113 / Warning
Event Submitted/Written: 06/09/2008 00:22:30 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Serait bloqué par une règle de blocage de comportement (la règle est actuellement en mode avertissement) (mode avertissement uniquement !).(ordinateur source SODIUM, adresse IP 172.20.11.82, utilisateur SYSTEM, exécution de VirusScan Enter 8.0 - OAS)

Event Record #/Type18112 / Error
Event Submitted/Written: 06/09/2008 00:22:10 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Le fichier C:\WINDOWS\system32\rbvlnfha.dll est infecté par le virus Vundo (Cheval de Troie). La suppression du fichier a réussi.(ordinateur source SODIUM, adresse IP 172.20.11.82, utilisateur SODIUM, exécution de VirusScan Enter 8.0 - OAS)

Event Record #/Type18111 / Error
Event Submitted/Written: 06/09/2008 00:22:04 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Le fichier C:\WINDOWS\system32\auhwyjip.dll est infecté par le virus Vundo (Cheval de Troie). La suppression du fichier a réussi.(ordinateur source SODIUM, adresse IP 172.20.11.82, utilisateur SODIUM, exécution de VirusScan Enter 8.0 - OAS)

Event Record #/Type18110 / Error
Event Submitted/Written: 06/09/2008 00:21:59 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Le fichier C:\WINDOWS\system32\aiwmjcfn.dll est infecté par le virus Vundo (Cheval de Troie). La suppression du fichier a réussi.(ordinateur source SODIUM, adresse IP 172.20.11.82, utilisateur SODIUM, exécution de VirusScan Enter 8.0 - OAS)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type19677 / Error
Event Submitted/Written: 06/06/2008 04:59:31 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM a reçu l'erreur "%%1084" lors de la mise en route du service EventSystem avec les arguments ""
pour démarrer le serveur :
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type19676 / Error
Event Submitted/Written: 06/06/2008 04:44:37 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM a reçu l'erreur "%%1084" lors de la mise en route du service StiSvc avec les arguments ""
pour démarrer le serveur :
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type19675 / Error
Event Submitted/Written: 06/06/2008 04:40:02 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM a reçu l'erreur "%%1084" lors de la mise en route du service StiSvc avec les arguments ""
pour démarrer le serveur :
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type19674 / Error
Event Submitted/Written: 06/06/2008 04:39:48 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM a reçu l'erreur "%%1084" lors de la mise en route du service StiSvc avec les arguments ""
pour démarrer le serveur :
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type19673 / Error
Event Submitted/Written: 06/06/2008 04:36:40 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM a reçu l'erreur "%%1084" lors de la mise en route du service netman avec les arguments ""
pour démarrer le serveur :
{BA126AE5-2166-11D1-B1D0-00805FC1270E}



-- End of Deckard's System Scanner: finished at 2008-06-09 12:22:55 ------------

Thans for your help - Charlet
Charlet
Active Member
 
Posts: 11
Joined: June 6th, 2008, 11:24 am

Re: Infection with Trojan Vundo

Unread postby Scotty » June 9th, 2008, 11:45 am

Hi

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet.
  • Click on this LINK to disable McAfee Virusscan & Spybot TeaTimer
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Infection with Trojan Vundo

Unread postby Charlet » June 10th, 2008, 9:08 am

This is file Combofix.txt

ComboFix 08-06-09.7 - Charlet de Sauvage 2008-06-10 12:43:49.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.252 [GMT 2:00]
Endroit: C:\Documents and Settings\Charlet de Sauvage\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Charlet de Sauvage\Bureau\WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
* Création d'un nouveau point de restauration
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMcb2bbce8.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aqktbkmj.ini
C:\WINDOWS\system32\aqrvytmg.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dnnxiuao.ini
C:\WINDOWS\system32\gwhfumxw.dll
C:\WINDOWS\system32\hohsnmkj.ini
C:\WINDOWS\system32\jhytjfpb.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pyepmgeh.ini
C:\WINDOWS\system32\rXxFffhk.ini
C:\WINDOWS\system32\rXxFffhk.ini2
C:\WINDOWS\system32\uqlmgmga.ini
C:\WINDOWS\system32\winmyy32.dll
C:\WINDOWS\system32\yfsekhke.ini

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-05-10 to 2008-06-10 ))))))))))))))))))))))))))))))))))))
.

2008-06-09 12:16 . 2008-06-09 12:16 <REP> d-------- C:\Deckard
2008-06-06 14:22 . 2008-06-06 14:22 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware1
2008-06-06 14:22 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-06 14:22 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-06 14:02 . 2008-06-03 16:05 1,756,760 --a------ C:\mbam-setup.exe
2008-06-03 16:59 . 2008-06-04 16:30 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-03 16:59 . 2008-06-04 16:30 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-03 16:08 . 2008-06-03 16:08 <REP> d-------- C:\Documents and Settings\Charlet de Sauvage\Application Data\Malwarebytes
2008-06-03 16:07 . 2008-06-06 14:07 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 16:07 . 2008-06-03 16:07 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-03 15:40 . 2008-06-03 15:40 <REP> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-02 16:36 . 2008-06-04 13:39 <REP> d-------- C:\quarantine
2008-06-02 16:27 . 2008-06-02 16:27 <REP> d-------- C:\VundoFix Backups
2008-06-02 13:55 . 2008-06-02 13:55 2,625,536 --a------ C:\WINDOWS\system32\pyepmgeh.tmp
2008-05-27 14:57 . 2008-05-28 10:55 <REP> d-------- C:\Program Files\Mozilla Thunderbird
2008-05-26 11:56 . 2008-05-29 13:59 <REP> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-26 10:33 . 2008-05-26 10:56 <REP> d-------- C:\ENCORE4
2008-05-21 15:42 . 2008-05-21 16:32 <REP> d-------- C:\Documents and Settings\Charlet de Sauvage\.brainvisa
2008-05-21 14:56 . 2008-05-21 14:56 <REP> d-------- C:\Program Files\Virtools
2008-05-16 13:47 . 2007-06-27 11:00 61,440 -ra------ C:\WINDOWS\system32\zIMF.dll
2008-05-16 13:47 . 2007-06-27 11:00 53,248 -ra------ C:\WINDOWS\system32\ztag.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 13:19 --------- d-----w C:\Program Files\WS_FTP
2008-04-24 15:06 --------- d-----w C:\Documents and Settings\Charlet de Sauvage\Application Data\AdobeUM
2008-04-22 16:01 --------- d-----w C:\Program Files\PROTEUS
2008-04-16 12:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 12:34 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\DriveHQ
2007-09-25 08:35 81,920 ----a-w C:\Documents and Settings\Charlet de Sauvage\Application Data\ezpinst.exe
2007-09-25 08:35 47,360 ----a-w C:\Documents and Settings\Charlet de Sauvage\Application Data\pcouffin.sys
2007-07-04 08:22 30 ----a-w C:\Documents and Settings\Charlet de Sauvage\s.BAT
2007-07-04 08:22 30 ----a-w C:\Documents and Settings\Charlet de Sauvage\P.BAT
2007-06-26 09:11 34 ----a-w C:\Documents and Settings\Charlet de Sauvage\Q.BAT
2006-04-27 16:17 6,183,687 ----a-w C:\Program Files\ca4demo.zip
2005-12-22 15:45 774,144 ----a-w C:\Program Files\RngInterstitial.dll
1999-09-07 15:18 10 ----a-w C:\Documents and Settings\Charlet de Sauvage\R.BAT
1999-09-06 17:41 5 ----a-w C:\Documents and Settings\Charlet de Sauvage\X.BAT
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 01:09 15360]
"Orange Desktop Search"="C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" [2007-01-17 16:10 4938016]
"Mozilla Quick Launch"="d:\Program Files\Netscape\Netscape Browser\Netscp.exe" [2003-02-08 10:50 481264]
"AdobeUpdater"="C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"DrvListnr"="C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-03-11 14:28 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-03-11 14:20 106496]
"McAfeeUpdaterUI"="D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50 139320]
"ShStatEXE"="D:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 21:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48 147514]
"Dimension4"="D:\Program Files\D4\D4.exe" [ ]
"Dispatcher"="C:\WINDOWS\dispatcher.exe" [2007-02-15 11:52 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2002-04-26 19:53 12288]
"NetTime"="D:\NetTime\NetTime.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 01:09 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\Eudora\EuShlExt.dll [2006-08-17 15:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.X264"= x264vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13:TCP"= 13:TCP:port
"21:TCP"= 21:TCP:port
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 HPHIPA;HPHIPA;C:\WINDOWS\System32\Drivers\HPHIPA.sys [2005-12-12 15:53]

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-06-10 10:47:02 C:\WINDOWS\Tasks\Microsoft Office Outlook 2003.job"
- C:\Documents and Settings\All Users.WINDOWS\Menu D‚marrer\Programmes\Microsoft Office\Microsoft Office Outlook 2003.lnk
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 12:48:12
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
D:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-06-10 12:52:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 10:52:42

Pre-Run: 1,895,550,976 octets libres
Post-Run: 1,812,795,392 octets libres

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

160 --- E O F --- 2008-06-04 14:29:09

and this is file HijackThis.txt

Logfile of HijackThis v1.99.1
Scan saved at 15:05:04, on 10/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\dispatcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\explorer.exe
D:\PROGRA~1\Netscape\NETSCA~1\Netscp.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://recherche.enscpb.fr/piom/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://recherche.enscpb.fr/piom/"); (C:\Documents and Settings\Charlet de Sauvage\Application Data\Mozilla\Profiles\default\c3islce8.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Dimension4] D:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [Dispatcher] C:\WINDOWS\dispatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NetTime] D:\NetTime\NetTime.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orange Desktop Search] "C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape Browser\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = enscpb.fr
O17 - HKLM\Software\..\Telephony: DomainName = enscpb.fr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = enscpb.fr
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

Thank you for your help - Charlet
Charlet
Active Member
 
Posts: 11
Joined: June 6th, 2008, 11:24 am

Re: Infection with Trojan Vundo

Unread postby Scotty » June 10th, 2008, 4:06 pm

Hi

Disable Teatimer
First:

  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident

Second:

  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.You must
also manually disable your anti-virus and anti-spyware programs. See the link below for instructions on doing this.

http://www.bleepingcomputer.com/forums/topic114351.html

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
KillAll::
 
File::
C:\WINDOWS\system32\pyepmgeh.tmp
C:\Documents and Settings\Charlet de Sauvage\s.BAT
C:\Documents and Settings\Charlet de Sauvage\P.BAT
C:\Documents and Settings\Charlet de Sauvage\Q.BAT
C:\Documents and Settings\Charlet de Sauvage\R.BAT
C:\Documents and Settings\Charlet de Sauvage\X.BAT
C:\WINDOWS\dispatcher.exe
C:\WINDOWS\system32\x264vfw.dll

Folder::
C:\VundoFix Backups

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dispatcher"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"=- 
 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Infection with Trojan Vundo

Unread postby Charlet » June 11th, 2008, 12:12 pm

Hello,
• I did the whole procedure you advised me to do, i.e. exiting Spybot S&D Resident, unchecking the box labelled Resident Tea-Timer and saving the script you have sent as “CFscript.txt” on the Desktop with Notepad. Then I rebooted the computer, manually disabled Internet, Mc Afee VirusScan access analysis and Windows Firewall. Then I dragged CFScript.txt into ComboFix.exe. The program ComboFix.exe started normally, saving a restoration point and began scanning the files, but it never reached the point where it tells the time will be changed, even waiting for 30 minutes. I did not click on the mouse during this time. I imagine the program stalled for some reason.
• To better understand what happened, I applied the whole procedure again in different situations:
1) erasing and downloading again Combofix from Bleeping Computer. Same result.
2) removing the 5 bat files of the Script (these files have only 1 or 2 lines to facilitate starting QBasic or Stats programs under MS-DOS). Same result.
3) reloading the computer at a restoration point from yesterday 10 june. Same result again.

• Could you tell me what to do next?
Thanks in advance - Charlet
Charlet
Active Member
 
Posts: 11
Joined: June 6th, 2008, 11:24 am

Re: Infection with Trojan Vundo

Unread postby Scotty » June 11th, 2008, 3:51 pm

Hi

If there is any problems, please do not try to resolve them yourself. Using System Restore may well have re-introduced more infection onto the pc.
I take it you mean you created those .bat files yourself?

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply with a new Hijackthis log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Infection with Trojan Vundo

Unread postby Charlet » June 12th, 2008, 8:28 am

Hello!
Sorry for having made a mistake using system restore.
To answer your question : I created myself the 5 bat files I mentioned in a previous post. This was intended to facilitate the use of a few DOS programs I am still using (mainly a DOS version of QBasic)
Another thing: do you have an idea of the additional time it may take for fixing the problem in my computer? My question is just because this takes part of my working time.

Below is the result of the scan with Kasperski

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 12, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, June 12, 2008 04:51:01
Records in database: 854617
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\

Scan statistics:
Files scanned: 174374
Threat name: 9
Infected objects: 17
Suspicious objects: 1
Duration of the scan: 02:34:05


File name / Threat name / Threats count
winlogon.exe\winmyy32.dll/winlogon.exe\winmyy32.dll Infected: Trojan.Win32.Agent.qoh 1
C:\WINDOWS\system32\winmyy32.dll/C:\WINDOWS\system32\winmyy32.dll Infected: Trojan.Win32.Agent.qoh 1
C:\Documents and Settings\Charlet de Sauvage\Local Settings\Temp\Av-test.txt Infected: EICAR-Test-File 1
C:\QooBox\Quarantine\C\WINDOWS\system32\winmyy32.dll.vir Infected: Trojan.Win32.Agent.qoh 1
C:\System Volume Information\_restore{1C05D64F-507B-42EC-A06C-30B3FEAE478A}\RP557\A0081732.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.vqd 1
C:\System Volume Information\_restore{1C05D64F-507B-42EC-A06C-30B3FEAE478A}\RP563\A0083498.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{1C05D64F-507B-42EC-A06C-30B3FEAE478A}\RP563\A0083499.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv 1
C:\System Volume Information\_restore{1C05D64F-507B-42EC-A06C-30B3FEAE478A}\RP564\A0083545.dll Infected: Trojan.Win32.Agent.qoh 1
C:\WINDOWS\system32\winmyy32.dll Infected: Trojan.Win32.Agent.qoh 1
D:\Eudora\Inserm.mbx Suspicious: Exploit.HTML.Iframe.FileDownload 1
D:\Transferts disque C\Program Files\Netscape\Users\charlet\Mail\Inbox Infected: Email-Worm.Win32.Navidad.b 1
D:\Transferts disque C\Windows\Mozilla\Profiles\charlet\31ud6w65.slt\Mail\pop.piom.u-bordeaux.fr\Inbox Infected: Email-Worm.Win32.Navidad.b 1
D:\Transferts disque D\UNZIPPED\TWSK21F\TRUMPING.EXE Infected: not-a-virus:NetTool.Win32.ICMPPing 1
D:\Transferts disque F\UTILS\CUTEFR~8.EXE Infected: not-a-virus:AdWare.Win32.TimeSink 4
D:\Transferts disque F\Z divers\ZIPPES\TWSK21F.ZIP Infected: not-a-virus:NetTool.Win32.ICMPPing 1

The selected area was scanned.

And this is the result of the scan with Highjackthis

Logfile of HijackThis v1.99.1
Scan saved at 14:09, on 2008-06-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\dispatcher.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\Netscape\NETSCA~1\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://recherche.enscpb.fr/piom/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
N3 - Netscape 7: user_pref("browser.startup.homepage", " http://www.ims-bordeaux.fr/"); (C:\Documents and Settings\Charlet de Sauvage\Application Data\Mozilla\Profiles\default\c3islce8.slt\prefs.js)
O2 - BHO: (no name) - {02B9CB8C-4FAC-498F-8D79-D140C515E526} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {21385345-F60F-4675-B8C8-1918D62FFB06} - (no file)
O2 - BHO: (no name) - {2776A47C-710A-41F7-924F-E9E010C3EB50} - (no file)
O2 - BHO: (no name) - {4E48ED95-DC2F-498A-BF39-33E99BC08F7B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {791B800F-B7DE-422F-A3E2-0832C8EA4485} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Dimension4] D:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [Dispatcher] C:\WINDOWS\dispatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NetTime] D:\NetTime\NetTime.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orange Desktop Search] "C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape Browser\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = enscpb.fr
O17 - HKLM\Software\..\Telephony: DomainName = enscpb.fr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = enscpb.fr
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmyy32 - C:\WINDOWS\SYSTEM32\winmyy32.dll
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

Thanks for everything - Charlet

Charlet
Active Member
 
Posts: 11
Joined: June 6th, 2008, 11:24 am

Re: Infection with Trojan Vundo

Unread postby Scotty » June 12th, 2008, 12:29 pm

Hi

First thing you need to do is delete everything in your mailbox.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back in your next reply.


OTMoveIt2 -

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\system32\pyepmgeh.tmp
    C:\WINDOWS\system32\x264vfw.dll
    C:\VundoFix Backups
    C:\WINDOWS\system32\winmyy32.dll
    C:\Documents and Settings\Charlet de Sauvage\Local Settings\Temp\Av-test.txt
    D:\Transferts disque D\UNZIPPED\TWSK21F\TRUMPING.EXE
    D:\Transferts disque F\UTILS\CUTEFR~8.EXE
    D:\Transferts disque F\Z divers\ZIPPES\TWSK21F.ZIP
    

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also run Deckards System Scanner and post the new [/b]main.txt[/b] please.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Infection with Trojan Vundo

Unread postby Charlet » June 13th, 2008, 5:58 am

This is the report given by SDFix

SDFix: Version 1.191
Run by Charlet de Sauvage on 2008-06-13 at 11:30

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

This is the log given by OTMoveIt2

C:\WINDOWS\system32\pyepmgeh.tmp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\x264vfw.dll
C:\WINDOWS\system32\x264vfw.dll NOT unregistered.
C:\WINDOWS\system32\x264vfw.dll moved successfully.
C:\VundoFix Backups moved successfully.
File/Folder C:\WINDOWS\system32\winmyy32.dll not found.
File/Folder C:\Documents and Settings\Charlet de Sauvage\Local Settings\Temp\Av-test.txt not found.
D:\Transferts disque D\UNZIPPED\TWSK21F\TRUMPING.EXE moved successfully.
D:\Transferts disque F\UTILS\CUTEFR~8.EXE moved successfully.
D:\Transferts disque F\Z divers\ZIPPES\TWSK21F.ZIP moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06132008_114610


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\WINMYY32.dll - Deleted
C:\P.BAT - Deleted
C:\Q.BAT - Deleted
C:\R.BAT - Deleted
C:\S.BAT - Deleted
C:\X.BAT - Deleted
C:\WINDOWS\dispatcher.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-13 11:36:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG08.00.00.01WORKSTATION"="A5291D6BC3F4EC65973E29D0C28255EA8077F0105AE33A195E9714268C2F0A29861B8CC7BD9F4762AE3939D7DE24F45AB671AAE6E26D563A502DCE47891CF69DE7E5DFB0F4F20CFA676FAC6E951C199D4BBD2D26E105F733FD4661A9DBBF1BDF09EBFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407FEBC9E127BECC74C9DB7CE019D40AA5C34C41FE08EC076B2DE1BC8D7DC0A923314A8922F9D55EA55BAF4BD1D34DB2EECA70798821BDF043885B9094F2F453D4B859FE0F550405213E7718AF4CC89335F4E93FEEE1AABEB03DFA88FCDE6E110853F32FBF872F981DACDC3DF9EBB5579B73FC5658A00F06EEE044BD2888302435C736CDF5E2D1DC5E8D8BF5ED0F9F3039347DBB33DB01CE396B86722B9F56DA08C853DDF51236B7E3A2D9E7DC7F4BE645264F52674883FB5DA7A289D9EA70F091A9278A07FE648211322FB09C30CB247974A984B9F538FE2627B1BB8F873756E4964D51B1D813B35FB40D81F8696EF69CBE12F08B4D3E7FC159D323D0FA754D7267FF09F606E7057BCC61A32D95D3C1B1C450694AB41C52AA2FCC5C7290701E2FD97C74E031DB73768288609081C0142F6444E7A02C24B2678E20FC99648F63D6216BE1DC4F18419CF8B4B3EE004495792621E1CB6F8BD3DCDD1AC08A818D629291A9D55E6466FD50A4B79C1383AC76865D76E2C50F508D29C7D2019B394E07FEEF38E16B164B459F2F48455E5D8CF17AB8F9CB1D6BEB6DB21CE51EC13CFFD2B0FA9A2506E0D33A42A4CC59046EB5C18E6A96A09564DFD65DA6189422352B7ABAD744C49ECF4EECA124779DC37F387B45A79FCE2600F318A9187772E46963E132F42E19B7EC21174D1103EFA1DE615C98D855D4288684B004DC32E19610BE30BBFB3A0B57B14635F54861BFBE0AD68494E897A7D682D6B0BDBCF23C1DE141E4CCB9E27D7BDF658D8C9BA7747EBA68939AAF6A3C39BA7D006CC18B0362D878AA7060E799723F0014825F61F97309FA730786F90914417E35FF53C965DBBB0667FE53DFDE0107918A41CB1C2FA2060925ECE4AD7BC86ACAD19F19275EE824E154BA220806FE87DF779AA1CF655B2A0BE040B1579EB8A0EDB499C225578F8141D97BC5AB0D69ADB9FE7901834DDE40E45F5CB8D541B7C553F9A96A720599E29A90276C521FA13683524D03BD61E36C8639D7727B01B0F91CFCB4614A248F328893E55EF4A95C3EC7F7632D1207429E7FAF8330BB60EF3C3A6AED30B914CFE9FB094221B08B624A36A3ABFD8B29546718E986D13F16CE66381A82E6782434913B35E6D3C973E2F3D85E1C88497861AE44821D54FD682A2D842B583B26FDDE07A4F0D087C1E63E35D85EFE0B83CA3B232F54E6103396FE782EEE2CA2F379FD7BF62"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000096
"TracesSuccessful"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"D:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="D:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"D:\\Program Files\\D4\\D4.exe"="D:\\Program Files\\D4\\D4.exe:*:Disabled:Dimension 4"
"D:\\Program Files\\FileZilla\\FileZilla.exe"="D:\\Program Files\\FileZilla\\FileZilla.exe:*:Enabled:FileZilla"
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Disabled:SmartFTP Client 2.0"
"C:\\Program Files\\Comet Assay IV\\Comet4.exe"="C:\\Program Files\\Comet Assay IV\\Comet4.exe:*:Enabled:Comet Assay IV Demo"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\\SETUP.EXE"="F:\\SETUP.EXE:*:Enabled:Setup"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Enabled:Logiciel de transfert de fichiers"
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"="C:\\Program Files\\WS_FTP\\WS_FTP95.exe:*:Enabled:WS_FTP 95"
"C:\\WINDOWS\\system32\\winver.exe"="C:\\WINDOWS\\system32\\winver.exe:*:Enabled:winver"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 23 Feb 2007 5 ...H. --- "C:\jas20.exe"
Fri 23 Feb 2007 5 ...H. --- "C:\qdj49.com"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Fri 20 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 5 Feb 2001 34,331 A..H. --- "C:\Compaq\Monitors\5500\INSTALL.EXE"
Tue 19 Mar 2002 21,653 A..H. --- "C:\Compaq\Monitors\5500\SETMON.EXE"

Finished!

and this is the file main.txt given by Deckards System Scanner.

Deckard's System Scanner v20071014.68
Run by Charlet de Sauvage on 2008-06-13 11:55:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 84% (more than 75%).


-- HijackThis (run as Charlet de Sauvage.exe) ----------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-13 11:55:52
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Network Associates\VirusScan\shstat.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe
D:\Program Files\Netscape\Netscape Browser\Netscp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\Charlet de Sauvage\Bureau\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://recherche.enscpb.fr/piom/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/fr/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02B9CB8C-4FAC-498F-8D79-D140C515E526} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {21385345-F60F-4675-B8C8-1918D62FFB06} - (no file)
O2 - BHO: (no name) - {2776A47C-710A-41F7-924F-E9E010C3EB50} - (no file)
O2 - BHO: (no name) - {4E48ED95-DC2F-498A-BF39-33E99BC08F7B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {791B800F-B7DE-422F-A3E2-0832C8EA4485} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Dimension4] D:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NetTime] D:\NetTime\NetTime.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orange Desktop Search] "C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape Browser\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Assistant d'Acrobat.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh ... wflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player ... taller.exe
O17 - HKLM\Software\..\Telephony: DomainName = enscpb.fr
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = enscpb.fr
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = enscpb.fr
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Fichiers communs\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


--
End of file - 9002 bytes

-- Files created between 2008-05-13 and 2008-06-13 -----------------------------

2008-06-13 11:25:50 0 d-------- C:\WINDOWS\ERUNT
2008-06-11 16:08:46 0 d-------- C:\WINDOWS\system32\Cache
2008-06-11 15:58:51 0 d-------- C:\ComboFix(2)
2008-06-10 13:45:36 0 d--hs---- C:\RECYCLER(2)
2008-06-10 12:43:32 0 d-------- C:\cmdcons
2008-06-10 12:27:25 68096 --a------ C:\WINDOWS\zip.exe
2008-06-10 12:27:25 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-10 12:27:25 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-10 12:27:25 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-10 12:27:25 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-10 12:27:25 98816 --a------ C:\WINDOWS\sed.exe
2008-06-10 12:27:25 80412 --a------ C:\WINDOWS\grep.exe
2008-06-10 12:27:25 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-06 14:22:09 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware1
2008-06-03 17:38:48 125952 --a------ C:\WINDOWS\system32\gwhfumxw.dll
2008-06-03 16:59:52 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-03 16:08:21 0 d-------- C:\Documents and Settings\Charlet de Sauvage\Application Data\Malwarebytes
2008-06-03 16:07:59 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-03 16:07:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-03 15:40:26 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-02 16:36:27 0 d-------- C:\quarantine
2008-05-28 16:43:03 0 d-------- C:\Documents and Settings\Charlet de Sauvage\Application Data\Mozilla
2008-05-27 14:57:55 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-26 11:56:07 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-26 10:33:18 0 d-------- C:\ENCORE4
2008-05-21 15:42:30 0 d-------- C:\Documents and Settings\Charlet de Sauvage\.brainvisa
2008-05-21 14:56:29 0 d-------- C:\Program Files\Virtools


-- Find3M Report ---------------------------------------------------------------

2008-06-04 16:34:21 522414 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-06-04 16:34:21 93242 --a------ C:\WINDOWS\system32\perfc00C.dat
2008-05-26 11:59:00 2528 --a------ C:\Documents and Settings\Charlet de Sauvage\Application Data\$_hpcst$.hpc
2008-05-21 16:15:35 0 d--h----- C:\Program Files\WindowsUpdate
2008-05-07 15:19:52 0 d-------- C:\Program Files\WS_FTP
2008-04-24 17:06:39 0 d-------- C:\Documents and Settings\Charlet de Sauvage\Application Data\AdobeUM
2008-04-22 18:01:52 0 d-------- C:\Program Files\PROTEUS
2008-04-16 14:34:27 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02B9CB8C-4FAC-498F-8D79-D140C515E526}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21385345-F60F-4675-B8C8-1918D62FFB06}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2776A47C-710A-41F7-924F-E9E010C3EB50}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E48ED95-DC2F-498A-BF39-33E99BC08F7B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{791B800F-B7DE-422F-A3E2-0832C8EA4485}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"DrvListnr"="C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-03-11 14:28]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-03-11 14:20]
"McAfeeUpdaterUI"="D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 04:50]
"ShStatEXE"="D:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 21:00]
"Network Associates Error Reporting Service"="C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe" [2003-10-07 10:48]
"Dimension4"="D:\Program Files\D4\D4.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2002-04-26 19:53]
"NetTime"="D:\NetTime\NetTime.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 01:09]
"Orange Desktop Search"="C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" [2007-01-17 16:10]
"Mozilla Quick Launch"="d:\Program Files\Netscape\Netscape Browser\Netscp.exe" [2003-02-08 10:50]
"AdobeUpdater"="C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43]

C:\Documents and Settings\All Users.WINDOWS\Menu D‚marrer\Programmes\D‚marrage\
Assistant d'Acrobat.lnk - D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 02:03:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= D:\Eudora\EuShlExt.dll [2006-08-17 15:57 86016]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1267ed8a-6776-11dc-b36d-000423320f58}]
Auto\command- AdobeR.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

*Newly Created Service* - ENTDRV51



-- End of Deckard's System Scanner: finished at 2008-06-13 11:57:32 ------------



Thanks - Charlet
Charlet
Active Member
 
Posts: 11
Joined: June 6th, 2008, 11:24 am

Re: Infection with Trojan Vundo

Unread postby Scotty » June 13th, 2008, 7:38 am

Hi

Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
jas20.exe
Click Submit.
Please post the results of this scan to this thread.



If Jotti is busy or unavailable, please try

Virustotal

Do the same for this file:
C:\qdj49.com
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Infection with Trojan Vundo

Unread postby Charlet » June 13th, 2008, 9:03 am

Hello,
Here is the result of scanning jas20.exe with jotti

Scanner results
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

and here is the result of scanning C:\qdj49.com

Scan taken on 13 Jun 2008 12:48:35 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



Statistics
Last file scanned at least one scanner reported something about: SWFDecompiler.exe (MD5: 3b6271c85b427862634a4218cee3331d, size: 3121152 bytes), detected by:
Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast Win32:Trojan-gen {Other}
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Ikarus Backdoor.Win32.Ciadoor.123.bz
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 Backdoor.Win32.Ciadoor.123.bz

Thanks - Charlet
Charlet
Active Member
 
Posts: 11
Joined: June 6th, 2008, 11:24 am

Re: Infection with Trojan Vundo

Unread postby Scotty » June 13th, 2008, 4:54 pm

Hi

Do you know what these files are?
C:\qdj49.com & C:\jas20.exe

Could you check they are both there on Local Drive ( C ) and check the file size.

Disable Teatimer
First:

  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident

Second:

  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    O2 - BHO: (no name) - {02B9CB8C-4FAC-498F-8D79-D140C515E526} - (no file)
    O2 - BHO: (no name) - {21385345-F60F-4675-B8C8-1918D62FFB06} - (no file)
    O2 - BHO: (no name) - {2776A47C-710A-41F7-924F-E9E010C3EB50} - (no file)
    O2 - BHO: (no name) - {4E48ED95-DC2F-498A-BF39-33E99BC08F7B} - (no file)
    O2 - BHO: (no name) - {791B800F-B7DE-422F-A3E2-0832C8EA4485} - (no file)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked exit HijackThis and reboot.


Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here with a new Hijackthis log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: Infection with Trojan Vundo

Unread postby Charlet » June 16th, 2008, 8:50 am

Hello,

Concerning files jas20.exe and qdj49.com, when listed with Windows Explorer, both files appeared on disk C and were 5 bytes long, with the same date (2007-02-23) and hour of creation. When opening the files with Word 2003, the following was displayed:

jas20.exe --> 51050
qdj49.com --> 65822


When doing a search for files with the date above on disks C and D (partition of disk C), 22 files were found : 1 on disk C, 21 on disk D. However, the two files jas20.exe and qdj49.com did not appear in this list.
The only file found on disk C with the date 2007-02-23, was {2135AFBB-E858-44BB-8AC8-49C24EF0B3BC}.bin, created 13 minutes later in directory C:\WINDOWS\SoftwareDistribution\EventCache.

Then, I disabled Teatimer as you asked, ran HijackThis and Fixed Checks (the 5 lines were present), rebooted the PC and launched Malwarebites’ Antimalware, scanned and Removed Selected (1 file infected) and finished with a new HijackThis.

This is the result of the scan with Malwarebytes' AntiMalware:

Malwarebytes' Anti-Malware 1.17
Version de la base de données: 859

14:12:57 2008-06-16
mbam-log-6-16-2008 (14-12-57).txt

Type de recherche: Examen complet (C:\|D:\|F:\|)
Eléments examinés: 219583
Temps écoulé: 1 hour(s), 2 minute(s), 43 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 1

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

and this is the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:23, on 2008-06-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe
D:\Program Files\Netscape\Netscape Browser\Netscp.exe
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://recherche.enscpb.fr/piom/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
N3 - Netscape 7: user_pref("browser.startup.homepage", " http://www.ims-bordeaux.fr/"); (C:\Documents and Settings\Charlet de Sauvage\Application Data\Mozilla\Profiles\default\c3islce8.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DrvListnr] C:\Program Files\Analog Devices\SoundMAX\DrvListnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "D:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "D:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Fichiers communs\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Dimension4] D:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NetTime] D:\NetTime\NetTime.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orange Desktop Search] "C:\Program Files\Orange HSS\Orange Desktop Search\OrangeDesktopSearch.exe" /tray
O4 - HKCU\..\Run: [Mozilla Quick Launch] "d:\Program Files\Netscape\Netscape Browser\Netscp.exe" -turbo
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player ... taller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = enscpb.fr
O17 - HKLM\Software\..\Telephony: DomainName = enscpb.fr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = enscpb.fr
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Service Framework McAfee (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe


Thanks - Charlet
Charlet
Active Member
 
Posts: 11
Joined: June 6th, 2008, 11:24 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware