Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Having problems with Vundo

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Having problems with Vundo

Unread postby bjones20005 » February 15th, 2009, 12:05 pm

I was able to clean some of the issues I'm having but am at this point stuck. Thanks for your time.

Here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:38 AM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {2f0546d9-e35d-47d7-9020-3383bdf68a91} - (no file)
O2 - BHO: (no name) - {743d6c9c-f2c6-4636-9445-f50351b9aae8} - (no file)
O2 - BHO: (no name) - {75a53c6e-e26c-496a-a7d5-7f7b1b5dde83} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {862d2e39-094d-42a2-94bc-0805b78c10aa} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {debab789-fab0-4ff0-8c51-7256103d484c} - C:\WINDOWS\system32\tilareve.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CPMdf3c3503] Rundll32.exe "c:\windows\system32\viboluku.dll",a
O4 - HKLM\..\Run: [fadababesu] Rundll32.exe "C:\WINDOWS\system32\tilareve.dll",s
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Kenny\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [VundoFixTool] C:\Program Files\VundoFixTool\VundoFixTool.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [fadababesu] Rundll32.exe "C:\WINDOWS\system32\tilareve.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fadababesu] Rundll32.exe "C:\WINDOWS\system32\tilareve.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\tilareve.dll c:\windows\system32\viboluku.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\viboluku.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\viboluku.dll
O23 - Service: McAfee Application Installer Cleanup (0090011232964788) (0090011232964788mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\009001~1.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7369 bytes
bjones20005
Member+
 
Posts: 19
Joined: February 15th, 2009, 11:42 am
Location: Scranton
Advertisement
Register to Remove

Re: Having problems with Vundo

Unread postby Bio-Hazard » February 20th, 2009, 11:13 am

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!



Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Image


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Image

  • Click on Yes, to continue scanning for malware.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Malwarebytes Antimalware log
  • ComboFix log (found at C:\Combofix.txt)
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Having problems with Vundo

Unread postby bjones20005 » February 20th, 2009, 3:09 pm

I am currently out of state visiting relatives but I will follow you instructions and post back when I get home in the next day or two..
bjones20005
Member+
 
Posts: 19
Joined: February 15th, 2009, 11:42 am
Location: Scranton

Re: Having problems with Vundo

Unread postby Bio-Hazard » February 20th, 2009, 3:13 pm

Thank you for letting me know!
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Having problems with Vundo

Unread postby bjones20005 » February 21st, 2009, 11:10 pm

Ok here are the logs you requested. As far as how it's running it seems a little smoother but I am almost certain I am still infected. The Trojan.Vundo.H files that were deleted seem to have the pesky habit of popping up with new file names. I count 12 files in C:\WINDOWS\system32\ all hidden. 9 are .dll files that I know don't belong, 2 are .exe files, and 1 has no file type whatsoever. One thing I have notice is that the infection seems to have a surge of activity periodically and then goes quiet. McAfee will block the same file repeatedly then go quiet for an hour or two then block another file repeatedly. Anyways thanks for your time and the following is the logs you requested.

Malwarebytes' Anti-Malware 1.34
Database version: 1790
Windows 5.1.2600 Service Pack 3

2/21/2009 9:28:59 PM
mbam-log-2009-02-21 (21-28-59).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 112782
Time elapsed: 34 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tilareve.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gidirapo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dspimk.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e71ab762-edf0-4baf-90cc-6fe4481f21ba} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e71ab762-edf0-4baf-90cc-6fe4481f21ba} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{debab789-fab0-4ff0-8c51-7256103d484c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{debab789-fab0-4ff0-8c51-7256103d484c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{debab789-fab0-4ff0-8c51-7256103d484c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e71ab762-edf0-4baf-90cc-6fe4481f21ba} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dc0f069f (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fadababesu (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tilareve.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\tilareve.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tilareve.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dspimk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gidirapo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\oparidig.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tilareve.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\terobugo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

______________________________________________________________________________

ComboFix 09-02-19.01 - Kenny 2009-02-21 21:39:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.680 [GMT -5:00]
Running from: c:\documents and settings\Kenny\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\BReWErS.dll
c:\windows\system32\d3d8caps.dat
H:\autorun.inf
H:\resycled

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
hxxp://82.98.235.208
.
((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.

2009-02-21 20:47 . 2009-02-21 20:47 <DIR> d-------- c:\documents and settings\Kenny\Application Data\Malwarebytes
2009-02-21 20:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 20:46 . 2009-02-21 20:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 20:46 . 2009-02-21 20:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 20:46 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-18 02:13 . 2009-02-18 02:13 2,713 ---hs---- c:\windows\system32\sidevoku.exe
2009-02-17 08:12 . 2009-02-17 08:12 2,713 ---hs---- c:\windows\system32\fubebije.exe
2009-02-16 14:10 . 2009-02-16 14:10 124,928 --ahs---- c:\windows\system32\jtibrv.dll
2009-02-16 02:09 . 2009-02-16 02:09 124,928 --ahs---- c:\windows\system32\mgvejp.dll
2009-02-16 02:09 . 2009-02-21 21:27 6,456 --ah----- c:\windows\system32\finawuzi
2009-02-15 10:18 . 2009-02-15 10:20 <DIR> d-------- c:\documents and settings\Kenny\Application Data\VundoFixTool
2009-02-15 09:46 . 2009-02-15 11:00 <DIR> d-------- c:\program files\VirusBuster
2009-02-15 09:24 . 2009-02-15 09:24 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-15 09:23 . 2009-02-15 09:26 <DIR> d-------- c:\documents and settings\Kenny\.housecall6.6
2009-02-15 09:20 . 2009-02-15 09:19 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-15 09:19 . 2009-02-15 09:19 <DIR> d-------- c:\program files\Java
2009-02-14 16:54 . 2009-02-14 16:54 <DIR> d-------- c:\documents and settings\Administrator
2009-02-04 19:06 . 2009-02-04 19:08 <DIR> d-------- c:\documents and settings\Kenny\Application Data\U3
2009-01-31 22:46 . 2009-01-31 22:46 <DIR> d-------- c:\documents and settings\Kenny\Application Data\Apple Computer
2009-01-31 22:34 . 2009-01-31 22:34 <DIR> d-------- c:\documents and settings\Kenny\Application Data\vlc
2009-01-28 06:45 . 2009-01-28 06:45 <DIR> d-------- c:\documents and settings\Kenny\Application Data\Leadertech
2009-01-28 06:37 . 2009-01-28 06:37 0 --a------ c:\windows\PowerReg.dat
2009-01-26 06:08 . 2009-01-26 06:08 <DIR> d-------- c:\documents and settings\Kenny\Application Data\McAfee
2009-01-25 20:40 . 2009-01-26 05:52 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-25 20:37 . 2007-05-16 16:45 3,497,832 --a------ c:\windows\system32\d3dx9_34.dll
2009-01-25 20:37 . 2007-05-16 16:45 1,124,720 --a------ c:\windows\system32\D3DCompiler_34.dll
2009-01-25 20:37 . 2007-05-16 16:45 443,752 --a------ c:\windows\system32\d3dx10_34.dll
2009-01-25 03:22 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2009-01-24 14:57 . 2009-01-25 14:07 114 --a------ c:\windows\SpaceForce-RU.cfg
2009-01-24 14:23 . 2009-01-24 14:23 <DIR> d-------- c:\windows\SpaceForce - Rogue Universe
2009-01-23 09:20 . 2009-01-23 09:20 <DIR> d-------- c:\program files\Common Files\Thraex Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 02:43 --------- d-----w c:\documents and settings\Kenny\Application Data\mjusbsp
2009-02-22 02:31 --------- d-----w c:\program files\McAfee
2009-02-16 19:10 84,480 --sha-w c:\windows\system32\kigujuhi.dll
2009-02-16 19:10 124,928 --sha-w c:\windows\system32\yaruleji.dll
2009-02-16 07:09 84,480 --sha-w c:\windows\system32\sozazela.dll
2009-02-16 07:09 124,928 --sha-w c:\windows\system32\wivozowi.dll
2009-02-15 23:42 84,480 ---ha-w c:\windows\system32\wafetela.dll
2009-02-15 23:42 79,872 ------w c:\windows\system32\heweluwi.dll
2009-02-15 16:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-15 14:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-15 14:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-15 11:42 84,480 ----a-w c:\windows\system32\viboluku.dll
2009-02-15 11:42 124,928 ---ha-w c:\windows\system32\muzaloda.dll
2009-02-14 23:41 124,928 ---ha-w c:\windows\system32\nozigita.dll
2009-02-14 00:22 --------- d-----w c:\documents and settings\Kenny\Application Data\Azureus
2009-02-01 03:39 --------- d-----w c:\documents and settings\Kenny\Application Data\DivX
2009-02-01 03:38 --------- d-----w c:\program files\DivX
2009-01-26 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-22 04:15 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-01-21 12:04 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-01-20 10:44 796,672 ----a-w c:\windows\GPInstall.exe
2009-01-19 02:29 124 ----a-w C:\nvdata.dat
2009-01-19 02:26 611,064 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-14 07:46 --------- d-----w c:\documents and settings\Kenny\Application Data\vghd
2009-01-14 07:36 152,904 ----a-w c:\windows\system32\vghd.scr
2009-01-11 20:45 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 17:03 79,304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-01-09 17:03 40,552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-01-09 17:03 35,272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-01-09 17:03 34,216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-01-09 17:03 213,640 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-01-07 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-06 15:11 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-01-01 09:03 --------- d-----w c:\program files\Yahoo!
2009-01-01 09:02 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-01 05:06 --------- d-----w c:\documents and settings\All Users\Application Data\Azureus
2008-12-31 05:38 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-31 05:36 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-31 03:43 --------- d-----w c:\documents and settings\Kenny\Application Data\Yahoo!
2008-12-30 00:50 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2008-12-30 00:47 --------- d-----w c:\program files\Windows7
2008-12-29 22:53 --------- d-----w c:\program files\McAfee.com
2008-12-29 22:53 --------- d-----w c:\program files\Common Files\McAfee
2008-12-29 22:26 --------- d-----w c:\program files\CCleaner
2008-12-29 09:33 --------- d-----w c:\documents and settings\Kenny\Application Data\OtakuSoftware
2008-12-29 09:31 --------- d-----w c:\program files\RocketDock
2008-12-29 09:23 --------- d-----w c:\program files\microsoft frontpage
2008-12-29 09:17 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-08-24 17:12 13,622 ----a-w c:\documents and settings\Kenny\STARTUP.reg
2006-05-06 16:42 7,260,160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
.

------- Sigcheck -------

2008-03-20 13:36 578560 f92d8964b5286de225bd2b6bf89764be c:\windows\system32\user32.dll

2008-04-28 04:25 920064 88348f8c92c28ba99fe49bd392100ce0 c:\windows\system32\wininet.dll

2008-04-28 04:24 547328 a55b8899d2ea2e800061bcfd456e34dc c:\windows\system32\winlogon.exe

2008-04-25 22:58 2185216 e184a0cf10cadd2b4f5af0a31e8627d6 c:\windows\system32\ntkrnlpa.exe

2008-04-25 22:44 2306560 0f733106a818383806060abc29fe0f3a c:\windows\system32\ntoskrnl.exe

2008-08-18 13:17 1616384 4a90f51b778fa0157f60d206e8b37d2a c:\windows\explorer.exe

2008-04-28 04:22 25088 b5e8782d4af1b3756f38e11e7c157bbe c:\windows\system32\ctfmon.exe

2008-03-20 13:36 989696 9a8d604748d9fe73b66021e5782a4a3c c:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Kenny\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-28 25088]
"Google Update"="c:\documents and settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"UnlockerAssistant"="d:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-15 148888]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-04-25 c:\windows\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-28 04:22 25088 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2009-02-06 15:23 133104 c:\documents and settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-15 09:19 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\RocketDock\\RocketDock.exe"=
"g:\\autorun.exe"=
"c:\\Documents and Settings\\Kenny\\Application Data\\mjusbsp\\magicJack.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-448539723-1644491937-1003.job
- c:\documents and settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 15:23]

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-02-18 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool\VundoFixTool.exe []

2009-02-18 c:\windows\Tasks\VundoFixTool Scheduled Scan.job
- c:\program files\VundoFixTool []
.
- - - - ORPHANS REMOVED - - - -

BHO-{2f0546d9-e35d-47d7-9020-3383bdf68a91} - (no file)
BHO-{743d6c9c-f2c6-4636-9445-f50351b9aae8} - (no file)
BHO-{75a53c6e-e26c-496a-a7d5-7f7b1b5dde83} - (no file)
BHO-{862d2e39-094d-42a2-94bc-0805b78c10aa} - (no file)
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-QuickTime Task - d:\program files\QuickTime\QTTask.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Kenny\Application Data\Mozilla\Firefox\Profiles\dyhaq92o.default\
FF - plugin: c:\documents and settings\Kenny\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 21:43:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\setupapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\documents and settings\Kenny\Application Data\mjusbsp\st00000\mjsetup.exe
c:\documents and settings\Kenny\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2009-02-21 21:45:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-22 02:45:26

Pre-Run: 13,116,522,496 bytes free
Post-Run: 13,264,056,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

262



______________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:21 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\Kenny\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Kenny\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5649 bytes
bjones20005
Member+
 
Posts: 19
Joined: February 15th, 2009, 11:42 am
Location: Scranton

Re: Having problems with Vundo

Unread postby Bio-Hazard » February 22nd, 2009, 4:33 pm

Use of P2P (Person to Person) file sharing programs

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them. Please remove it before we can continue any further. Post back when you have done it so we can continue the cleaning process.

NOTE: Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.


I have added those folders to be deleted with combofix.



Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
File::
c:\windows\Tasks\VundoFixTool Scheduled Scan.job
c:\windows\system32\sidevoku.exe
c:\windows\system32\fubebije.exe
c:\windows\system32\jtibrv.dll
c:\windows\system32\mgvejp.dll
c:\windows\system32\kigujuhi.dll
c:\windows\system32\yaruleji.dll
c:\windows\system32\sozazela.dll
c:\windows\system32\wivozowi.dll
c:\windows\system32\wafetela.dll
c:\windows\system32\heweluwi.dll
c:\windows\system32\viboluku.dll
c:\windows\system32\muzaloda.dll
c:\windows\system32\nozigita.dll
c:\windows\GPInstall.exe

Folder::
c:\program files\VirusBuster
c:\program files\VundoFixTool
c:\windows\system32\finawuzi
c:\documents and settings\Kenny\Application Data\VundoFixTool
c:\documents and settings\Kenny\Application Data\Azureus
c:\documents and settings\All Users\Application Data\Azureus

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\Vuze\\Azureus.exe"=-
"g:\\autorun.exe"=-


Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)


Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.


ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • Kaspersky Log
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Having problems with Vundo

Unread postby bjones20005 » February 23rd, 2009, 1:28 am

Well I ran the scrip using combofix and when I was looking at the log I noticed one thing that was wrong with the script. c:\windows\system32\finawuzi is a file in c:\windows\system32\ with no file extension so it didn't get deleted. Should I just delete this manualy. I also ran
atf-cleaner and am currently wait for the kaspersky online scan to finish which looks like it is going to take several hours. I will post all of the logs when it is done.
bjones20005
Member+
 
Posts: 19
Joined: February 15th, 2009, 11:42 am
Location: Scranton

Re: Having problems with Vundo

Unread postby bjones20005 » February 23rd, 2009, 2:55 am

Ok here are the 3 logs and I haven't done anything with the file mentioned in my last post.

ComboFix 09-02-21.01 - Kenny 2009-02-22 22:25:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.671 [GMT -5:00]
Running from: c:\documents and settings\Kenny\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kenny\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\GPInstall.exe
c:\windows\system32\fubebije.exe
c:\windows\system32\heweluwi.dll
c:\windows\system32\jtibrv.dll
c:\windows\system32\kigujuhi.dll
c:\windows\system32\mgvejp.dll
c:\windows\system32\muzaloda.dll
c:\windows\system32\nozigita.dll
c:\windows\system32\sidevoku.exe
c:\windows\system32\sozazela.dll
c:\windows\system32\viboluku.dll
c:\windows\system32\wafetela.dll
c:\windows\system32\wivozowi.dll
c:\windows\system32\yaruleji.dll
c:\windows\Tasks\VundoFixTool Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Azureus
c:\documents and settings\All Users\Application Data\Azureus\azCID.txt
c:\documents and settings\Kenny\Application Data\Azureus
c:\documents and settings\Kenny\Application Data\Azureus\.certs
c:\documents and settings\Kenny\Application Data\Azureus\.keystore
c:\documents and settings\Kenny\Application Data\Azureus\.lock
c:\documents and settings\Kenny\Application Data\Azureus\active\00C07707C5DC0342EF754BD878F89487AB038D55.dat
c:\documents and settings\Kenny\Application Data\Azureus\active\00C07707C5DC0342EF754BD878F89487AB038D55.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\active\25376AAC15F9DC97AC55DDB4888B7D87140D83D8.dat
c:\documents and settings\Kenny\Application Data\Azureus\active\25376AAC15F9DC97AC55DDB4888B7D87140D83D8.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\active\64A4B99426FCEDCE6A84166BEB0A3EA1B98164E5.dat
c:\documents and settings\Kenny\Application Data\Azureus\active\64A4B99426FCEDCE6A84166BEB0A3EA1B98164E5.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\active\8DF2F08C6F3E0A2F0ADAE2C980A3E3829B065FB7.dat
c:\documents and settings\Kenny\Application Data\Azureus\active\8DF2F08C6F3E0A2F0ADAE2C980A3E3829B065FB7.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\active\BEF96AFDD38E550C69C054F5B7934C437E34390E.dat
c:\documents and settings\Kenny\Application Data\Azureus\active\BEF96AFDD38E550C69C054F5B7934C437E34390E.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\active\cache.dat
c:\documents and settings\Kenny\Application Data\Azureus\azureus.config
c:\documents and settings\Kenny\Application Data\Azureus\azureus.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\azureus.statistics
c:\documents and settings\Kenny\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\Kenny\Application Data\Azureus\banips.config
c:\documents and settings\Kenny\Application Data\Azureus\banips.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\cnetworks.config
c:\documents and settings\Kenny\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Kenny\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Kenny\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Kenny\Application Data\Azureus\dht\general.dat
c:\documents and settings\Kenny\Application Data\Azureus\dht\version.dat
c:\documents and settings\Kenny\Application Data\Azureus\downloads.config
c:\documents and settings\Kenny\Application Data\Azureus\downloads.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\filters.config
c:\documents and settings\Kenny\Application Data\Azureus\friends.config
c:\documents and settings\Kenny\Application Data\Azureus\friends.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Kenny\Application Data\Azureus\metasearch.config
c:\documents and settings\Kenny\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\net\pm_33287.dat
c:\documents and settings\Kenny\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Kenny\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Kenny\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\subs\047969C2F30A401262F9.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\04C5EE008E353478F7DD.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\065BC7FC173B034D8ED1.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\0F193C9F601B15C4EFFE.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\13CCCA643B4D4185F7D8.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\21B6F154E1FA75E4DF0A.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\23C07FC046663EDB38E5.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\266C07A91A74D8CD05D0.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\2DD34BCB85CDDCB979F0.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\38F14939A1ADE522383C.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\400B09C6BFC041C77125.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\428870FB845DFB86BDFF.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\475A6FF4074864929368.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\581765478D3517627C73.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\5CBA0BA6AAA42E09B126.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\604C7F8616B38291CB89.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\645D29A4C5D9F90606BB.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\665FF0562B56B49EB83D.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\6824755C86CF5244EBB4.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\708C5D9333EC9E54E297.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\722FEC9BA057A883FE52.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\740AF5DF29177BDBE64C.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\7472680B49ACBCFA19D9.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\7EB198584F3721914E9D.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\87E23B1872099785E348.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\88831EE079954AC53525.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\A3287F0DF2346D598B5D.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\AA18A55630A89D766D85.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\AF734186BA1B192A332E.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\BBA708018991E48BD0CC.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\C2CA97BB53F50A950F22.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\C934D50DEAE6A54A6D1D.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\DC10272782C80481871B.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\DCC7B1A9E6EC36ED1548.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subs\FF68A7E4DB63E9E17CE9.vuze
c:\documents and settings\Kenny\Application Data\Azureus\subscriptions.config
c:\documents and settings\Kenny\Application Data\Azureus\subscriptions.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\tables.config
c:\documents and settings\Kenny\Application Data\Azureus\tables.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\timingstats.dat
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28788.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28789.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28790.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28791.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28792.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28793.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28794.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28795.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28800.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28801.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tmp\AZU28802.tmp
c:\documents and settings\Kenny\Application Data\Azureus\torrents\AZU36498.tmp
c:\documents and settings\Kenny\Application Data\Azureus\torrents\AZU36500.tmp
c:\documents and settings\Kenny\Application Data\Azureus\torrents\AZU46169.tmp
c:\documents and settings\Kenny\Application Data\Azureus\torrents\AZU46172.tmp
c:\documents and settings\Kenny\Application Data\Azureus\tracker.config
c:\documents and settings\Kenny\Application Data\Azureus\tracker.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\unsentdata.config
c:\documents and settings\Kenny\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\Kenny\Application Data\Azureus\update.log
c:\documents and settings\Kenny\Application Data\Azureus\update.properties
c:\documents and settings\Kenny\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Kenny\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\Kenny\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\Kenny\Application Data\Azureus\VuzeActivities.config.bak
c:\documents and settings\Kenny\Application Data\VundoFixTool
c:\documents and settings\Kenny\Application Data\VundoFixTool\Log\2009 Feb 15 - 10_18_57 AM_625.log
c:\documents and settings\Kenny\Application Data\VundoFixTool\rs.dat
c:\documents and settings\Kenny\Application Data\VundoFixTool\Settings\ScanResults.pie
c:\program files\VirusBuster
c:\program files\VirusBuster\Update\HTTP\vb.idx
c:\program files\VirusBuster\Update\HTTP\vdb.inh
c:\windows\GPInstall.exe
c:\windows\system32\finawuzi\
c:\windows\system32\fubebije.exe
c:\windows\system32\heweluwi.dll
c:\windows\system32\jtibrv.dll
c:\windows\system32\kigujuhi.dll
c:\windows\system32\mgvejp.dll
c:\windows\system32\muzaloda.dll
c:\windows\system32\nozigita.dll
c:\windows\system32\sidevoku.exe
c:\windows\system32\sozazela.dll
c:\windows\system32\viboluku.dll
c:\windows\system32\wafetela.dll
c:\windows\system32\wivozowi.dll
c:\windows\system32\yaruleji.dll
c:\windows\Tasks\VundoFixTool Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-21 21:50 . 2009-02-21 21:50 <DIR> d--h----- c:\windows\PIF
2009-02-21 20:47 . 2009-02-21 20:47 <DIR> d-------- c:\documents and settings\Kenny\Application Data\Malwarebytes
2009-02-21 20:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 20:46 . 2009-02-21 20:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 20:46 . 2009-02-21 20:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 20:46 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-16 02:09 . 2009-02-21 21:27 6,456 --ah----- c:\windows\system32\finawuzi
2009-02-15 09:24 . 2009-02-15 09:24 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-15 09:23 . 2009-02-15 09:26 <DIR> d-------- c:\documents and settings\Kenny\.housecall6.6
2009-02-15 09:20 . 2009-02-15 09:19 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-15 09:19 . 2009-02-15 09:19 <DIR> d-------- c:\program files\Java
2009-02-14 16:54 . 2009-02-14 16:54 <DIR> d-------- c:\documents and settings\Administrator
2009-02-04 19:06 . 2009-02-04 19:08 <DIR> d-------- c:\documents and settings\Kenny\Application Data\U3
2009-01-31 22:46 . 2009-01-31 22:46 <DIR> d-------- c:\documents and settings\Kenny\Application Data\Apple Computer
2009-01-31 22:34 . 2009-01-31 22:34 <DIR> d-------- c:\documents and settings\Kenny\Application Data\vlc
2009-01-28 06:45 . 2009-01-28 06:45 <DIR> d-------- c:\documents and settings\Kenny\Application Data\Leadertech
2009-01-28 06:37 . 2009-01-28 06:37 0 --a------ c:\windows\PowerReg.dat
2009-01-26 06:08 . 2009-01-26 06:08 <DIR> d-------- c:\documents and settings\Kenny\Application Data\McAfee
2009-01-25 20:40 . 2009-01-26 05:52 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-25 20:37 . 2007-05-16 16:45 3,497,832 --a------ c:\windows\system32\d3dx9_34.dll
2009-01-25 20:37 . 2007-05-16 16:45 1,124,720 --a------ c:\windows\system32\D3DCompiler_34.dll
2009-01-25 20:37 . 2007-05-16 16:45 443,752 --a------ c:\windows\system32\d3dx10_34.dll
2009-01-25 03:22 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2009-01-24 14:57 . 2009-01-25 14:07 114 --a------ c:\windows\SpaceForce-RU.cfg
2009-01-24 14:23 . 2009-01-24 14:23 <DIR> d-------- c:\windows\SpaceForce - Rogue Universe
2009-01-23 09:20 . 2009-01-23 09:20 <DIR> d-------- c:\program files\Common Files\Thraex Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 02:43 --------- d-----w c:\documents and settings\Kenny\Application Data\mjusbsp
2009-02-22 02:31 --------- d-----w c:\program files\McAfee
2009-02-15 16:01 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-15 14:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-15 14:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-01 03:39 --------- d-----w c:\documents and settings\Kenny\Application Data\DivX
2009-02-01 03:38 --------- d-----w c:\program files\DivX
2009-01-26 11:08 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-01-22 04:15 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-01-21 12:04 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-01-19 02:29 124 ----a-w C:\nvdata.dat
2009-01-19 02:26 611,064 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-14 07:46 --------- d-----w c:\documents and settings\Kenny\Application Data\vghd
2009-01-14 07:36 152,904 ----a-w c:\windows\system32\vghd.scr
2009-01-11 20:45 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 17:03 79,304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-01-09 17:03 40,552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-01-09 17:03 35,272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-01-09 17:03 34,216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-01-09 17:03 213,640 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-01-07 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-06 15:11 --------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-01-01 09:03 --------- d-----w c:\program files\Yahoo!
2009-01-01 09:02 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-31 05:38 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-12-31 05:36 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-31 03:43 --------- d-----w c:\documents and settings\Kenny\Application Data\Yahoo!
2008-12-30 00:50 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2008-12-30 00:47 --------- d-----w c:\program files\Windows7
2008-12-29 22:53 --------- d-----w c:\program files\McAfee.com
2008-12-29 22:53 --------- d-----w c:\program files\Common Files\McAfee
2008-12-29 22:26 --------- d-----w c:\program files\CCleaner
2008-12-29 09:33 --------- d-----w c:\documents and settings\Kenny\Application Data\OtakuSoftware
2008-12-29 09:31 --------- d-----w c:\program files\RocketDock
2008-12-29 09:23 --------- d-----w c:\program files\microsoft frontpage
2008-12-29 09:17 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-08-24 17:12 13,622 ----a-w c:\documents and settings\Kenny\STARTUP.reg
2006-05-06 16:42 7,260,160 ----a-w c:\program files\mozilla firefox\plugins\libvlc.dll
.

------- Sigcheck -------

2008-03-20 13:36 578560 f92d8964b5286de225bd2b6bf89764be c:\windows\system32\user32.dll

2008-04-28 04:25 920064 88348f8c92c28ba99fe49bd392100ce0 c:\windows\system32\wininet.dll

2008-04-28 04:24 547328 a55b8899d2ea2e800061bcfd456e34dc c:\windows\system32\winlogon.exe

2008-04-25 22:58 2185216 e184a0cf10cadd2b4f5af0a31e8627d6 c:\windows\system32\ntkrnlpa.exe

2008-04-25 22:44 2306560 0f733106a818383806060abc29fe0f3a c:\windows\system32\ntoskrnl.exe

2008-08-18 13:17 1616384 4a90f51b778fa0157f60d206e8b37d2a c:\windows\explorer.exe

2008-04-28 04:22 25088 b5e8782d4af1b3756f38e11e7c157bbe c:\windows\system32\ctfmon.exe

2008-03-20 13:36 989696 9a8d604748d9fe73b66021e5782a4a3c c:\windows\system32\kernel32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-02-21_21.44.38.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-22 01:42:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-23 03:21:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-22 01:42:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-23 03:21:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Kenny\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-28 25088]
"Google Update"="c:\documents and settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-06 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"UnlockerAssistant"="d:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-15 148888]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2008-04-25 c:\windows\system32\advpack.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-28 04:22 25088 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2009-02-06 15:23 133104 c:\documents and settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-15 09:19 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"d:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\RocketDock\\RocketDock.exe"=
"c:\\Documents and Settings\\Kenny\\Application Data\\mjusbsp\\magicJack.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-448539723-1644491937-1003.job
- c:\documents and settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-06 15:23]

2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Kenny\Application Data\Mozilla\Firefox\Profiles\dyhaq92o.default\
FF - plugin: c:\documents and settings\Kenny\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 22:27:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\setupapi.dll
.
Completion time: 2009-02-22 22:28:05
ComboFix-quarantined-files.txt 2009-02-23 03:28:02
ComboFix2.txt 2009-02-22 02:45:31

Pre-Run: 13,238,431,744 bytes free
Post-Run: 13,237,583,872 bytes free

354


____________________________________________________________________________


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, February 23, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, February 23, 2009 04:45:40
Records in database: 1833266
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 52088
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:38:55

No malware has been detected. The scan area is clean.

The selected area was scanned.


_________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:00 AM, on 2/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\RocketDock\RocketDock.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Kenny\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5670 bytes
bjones20005
Member+
 
Posts: 19
Joined: February 15th, 2009, 11:42 am
Location: Scranton

Re: Having problems with Vundo

Unread postby Bio-Hazard » February 24th, 2009, 8:18 am

Well I ran the scrip using combofix and when I was looking at the log I noticed one thing that was wrong with the script. c:\windows\system32\finawuzi is a file in c:\windows\system32\ with no file extension so it didn't get deleted. Should I just delete this manualy.


Yes, delete that file manually. If you have any problems please let me know.


Please go this folder and post that log for me to see: C:\QooBox\Add-Remove Programs.txt.


How is the computer behaving now? Can you also post a new HijackThis log for me to see.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Having problems with Vundo

Unread postby bjones20005 » February 24th, 2009, 8:47 am

Computer seems to be back to normal now. Was able to delete the file just fine. Here are the logs you requested.


ÀÌÕ program\SWF to EXE
AAC Decoder
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
AutoUpdate
CCleaner (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Google Chrome
H.264 Decoder
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
IZArc 3.81
Java(TM) 6 Update 12
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Mozilla Firefox (3.0.6)
Neverwinter Nights
Neverwinter Nights 2
NVIDIA Drivers
Realtek AC'97 Audio
RocketDock 1.3.5
Unlocker 1.8.5
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.5
WebFldrs XP
WinRAR archiver


_________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:56 AM, on 2/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\RocketDock\RocketDock.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Kenny\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Kenny\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kenny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5733 bytes
bjones20005
Member+
 
Posts: 19
Joined: February 15th, 2009, 11:42 am
Location: Scranton

Re: Having problems with Vundo

Unread postby Bio-Hazard » February 25th, 2009, 4:55 pm

Hello!

Looking at the Combofix log there are few files that i am concerned with. I was hoping Kaspersky scan would have revealed something. So we need to upload some files to either Virustotal or Jotti.


I'd like you to check (a file/some files) for Viruses.
c:\windows\system32\user32.dll


c:\windows\system32\wininet.dll
c:\windows\system32\winlogon.exe
c:\windows\system32\ntkrnlpa.exe
c:\windows\system32\ntoskrnl.exe
c:\windows\explorer.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\kernel32.dll

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Copy and Paste results in your next reply.
  • Repeat for all files on the list, and post me the details please

Could you also post a new HijackThis log for me to see.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Having problems with Vundo

Unread postby bjones20005 » February 25th, 2009, 7:30 pm

Ok Jotti gave me a clean bill of health across the board for all of those files. Computer is running great now. One question I do have is since my McAfee wasn't able to prevent/remove my infection what AV software do you feel is the best since mine isn't really doing it's job.
bjones20005
Member+
 
Posts: 19
Joined: February 15th, 2009, 11:42 am
Location: Scranton

Re: Having problems with Vundo

Unread postby Bio-Hazard » February 27th, 2009, 7:54 am

Hello!

I want to dig little bit deeper just to be sure.

random's system information tool (RSIT)

  • Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized)
  • Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Having problems with Vundo

Unread postby Gary R » March 5th, 2009, 9:31 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 272 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware