Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Problem with Vundo.H and possibly more.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Problem with Vundo.H and possibly more.

Unread postby Fletch101 » April 27th, 2009, 10:59 pm

I started getting some pop-ups last night. I updated and ran Malwarebytes' Anti-Malware. It found some infections but couldn't get rid of them. Please help.

HijackThis Logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59 PM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (no name) - {a505d46e-77f9-4834-854f-6b6bc2cc7570} - C:\WINDOWS\system32\kedefate.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hepavolole] Rundll32.exe "C:\WINDOWS\system32\popakiwu.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKUS\S-1-5-19\..\Run: [hepavolole] Rundll32.exe "C:\WINDOWS\system32\popakiwu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hepavolole] Rundll32.exe "C:\WINDOWS\system32\popakiwu.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\selugawa.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 4778 bytes
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm
Top
Advertisement
Register to Remove

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » April 28th, 2009, 12:47 am

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Somethings to remember while we are working together.

    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

: Malwarebytes' Anti-Malware :

    I would like you to rerun MBAM

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

:run combofix:

    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

      The Recovery Console was successfully installed.
    Please continue as follows:

    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

uninstall list

    Make an uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.
    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

:information and logs:

    In your next post I need the following

      1.log from MBAM
      2.log from combofix
      3.uninstall list from hijackthis
      4.new hijackthis log

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » April 28th, 2009, 2:24 am

Thank you for the quick response! Here are the logs:

MBAM Log:
Malwarebytes' Anti-Malware 1.36
Database version: 2051
Windows 5.1.2600 Service Pack 2

4/28/2009 1:00:41 AM
mbam-log-2009-04-28 (01-00-41).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 240325
Time elapsed: 53 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a505d46e-77f9-4834-854f-6b6bc2cc7570} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a505d46e-77f9-4834-854f-6b6bc2cc7570} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hepavolole (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Combfix Log:
ComboFix 09-04-27.03 - Jeff 04/28/2009 1:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.666 [GMT -5:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\Config.ini
c:\windows\system32\selugawa.dll
c:\windows\system32\sofelafu.exe
c:\windows\system32\TDSSthrq.dat
c:\windows\system32\tmp.reg

----- BITS: Possible infected sites -----

hxxp://216.12.168.130
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv
-------\Service_TDSSserv.sys)


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-27 05:26 . 2009-04-27 05:26 -------- d-----w c:\program files\Trend Micro
2009-04-27 05:21 . 2008-10-22 01:04 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-27 04:51 . 2009-04-27 04:51 -------- d-----w C:\VundoFix Backups
2009-04-04 20:34 . 2009-04-04 20:34 -------- d-----w c:\documents and settings\Jeff\Local Settings\Application Data\Intuit
2009-04-04 20:33 . 2009-04-04 20:33 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 02:18 . 2007-12-01 02:00 -------- d-----w c:\program files\Steam
2009-04-28 01:50 . 2009-04-28 01:50 0 ----a-w c:\documents and settings\Jeff\ntuser.tmp
2009-04-28 01:39 . 2009-01-28 01:39 59904 --sha-w c:\windows\system32\vovugesi.exe
2009-04-27 02:44 . 2008-10-22 05:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 02:12 . 2009-01-27 02:12 60928 --sha-w c:\windows\system32\tiwunino.exe
2009-04-06 20:32 . 2008-10-22 05:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-10-22 05:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 20:33 . 2006-10-31 04:53 72880 ----a-w c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 20:31 . 2007-04-14 16:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-04 20:29 . 2007-04-14 16:33 -------- d-----w c:\program files\TurboTax
2009-03-19 03:35 . 2008-07-03 03:42 -------- d-----w c:\program files\ICQ6
2009-03-17 17:09 . 2009-03-17 17:09 6 ----a-w c:\windows\Fonts\wfonts.key
2009-02-09 01:01 . 2007-05-18 03:33 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-09 01:01 . 2007-05-18 03:33 201352 ----a-w c:\windows\system32\PnkBstrB.exe
.

------- Sigcheck -------

[-] 2002-08-29 12:00 516608 2246D8D8F4714A2CEDB21AB9B1849ABB c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2004-08-04 07:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-10-22 00:52 502272 9B1BD82BD0761B5BA986AF66D2809C30 c:\windows\system32\winlogon.exe

[-] 2002-08-29 12:00 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2004-08-04 07:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-10-22 00:52 295424 40FFC19A8D4875E9E19CECDC76EF9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-06-21 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave7"= Echo3GWrap.dll
"Midi1"= usbmn4x4.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Unreal Anthology\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzfs.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"41952:TCP"= 41952:TCP:TVersity 01
"41952:UDP"= 41952:UDP:TVersity 02
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

R0 FGXSCSI;FGXSCSI; [x]
R3 USB44LDR;M-Audio USB MIDISPORT 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2007-11-14 23080]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
S3 echo3g;Echo3G Service;c:\windows\system32\drivers\echo3g.sys [2006-08-17 221696]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2008-01-06 22304]

.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{a505d46e-77f9-4834-854f-6b6bc2cc7570} - c:\windows\system32\kedefate.dll
HKLM-Run-hepavolole - c:\windows\system32\popakiwu.dll
Notify-WgaLogon - (no file)
SafeBoot-TDSScpqg.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\dtklt8bm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 01:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2852)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-04-28 1:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 06:15

Pre-Run: 12,947,935,232 bytes free
Post-Run: 13,304,872,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

181 --- E O F --- 2008-07-09 08:00

HijackThis Uninstall List:
AC3Filter (remove only)
ActivePerl 5.8.8 Build 822
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
Adobe SVG Viewer 3.0
Album Art Downloader XUI 0.19
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Auralia 3 Student Edition
Baldur's Gate(TM) II - Throne of Bhaal (TM)
Battlefield 2(TM)
Battlefield 2: Special Forces
Battlefield 2142
BitTorrent 5.0.9
BZFlag 2.0.10 (remove only)
Cakewalk VST Adapter 4.5.1.0
CDRWIN
Chessmaster Grandmaster Edition
Counter-Strike: Source
dBpoweramp DSP Effects
dBpoweramp Music Converter
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DreamStation DXi2
DVD Decrypter (Remove Only)
Echo 3G
EVGA Display Driver
Exact Audio Copy 0.95b4
ffdshow [rev 1723] [2007-12-24]
FLAC 1.2.1b (remove only)
GoldWave v5.25
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB932716-v2)
iConcertCal
ICQ6
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7
Just Great Software EditPad Lite 6.4.3
Left 4 Dead
LucasArts' TIE Fighter
Malwarebytes' Anti-Malware
MediaMonkey 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft WinUsb 1.0
Midisport 4x4 1.0.1.0
Mozilla Firefox (3.0.1)
Mp3tag v2.42
MSXML 6.0 Parser (KB933579)
Nero OEM
NVIDIA Drivers
Oblivion
Oblivion - BTmod 2.20
Oblivion - Horse Armor Pack
Oblivion - Knights of the Nine
Oblivion - Mehrunes Razor
Oblivion - Orrery
Oblivion - Spell Tomes
Oblivion - The Fighter's Stronghold
Oblivion - Thieves Den
Oblivion - Vile Lair
Oblivion - Wizard's Tower
oggcodecs 0.71.0946
Portal
Quake III Arena
Quake III Arena Point Release 1.32
QuickTime
Realtek AC'97 Audio
Renamer 1.1
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Series II MIDI
SONAR 5 Producer Edition
SpeechRedist
Star Wars Jedi Knight Jedi Academy
Star Wars JK II Jedi Outcast
Starcraft
Steam
System Requirements Lab
Team Fortress 2
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Basic 2007
TVersity Codec Pack 1.2
TVersity Media Server 1.0.0.5 RC3
Unreal Anthology
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Ventrilo Client
WexTech AnswerWorks
Winamp (remove only)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XnView 1.95.2
X-Wing & TIE Fighter 95 Compatibility Fix

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18 AM, on 4/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 4526 bytes
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm
Top

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » April 28th, 2009, 6:14 pm

Hello Fletch101

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

:P2P Warning!:

I must draw your attention to the >malwareremoval< policy regarding P2P programs. You must uninstall all P2P programs and post a fresh HijackThis log before I can continue with cleaning your computer.

go to Start > Control Panel > Add/Remove Programs
If present, remove the following programs:

BitTorrent
Limewire
Morpheus
etc

*NOTE* Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.


If you continue to use P2P programs, we see no purpose in cleaning your machine as it is pretty much certain that, if you continue to use them, your computer will get infected again.

:information and logs:

    In your next post I need the following

      1.new hijackthis log
      2.new uninstall list

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » April 29th, 2009, 12:50 am

Thanks gringo.

- I have removed the p2p software (BitTorrent).
- I have installed and updated Avira AntiVir Personal, but have not run a system scan with it.

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45 PM, on 4/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 4902 bytes

HijackThis Uninstall List:
AC3Filter (remove only)
ActivePerl 5.8.8 Build 822
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
Adobe SVG Viewer 3.0
Album Art Downloader XUI 0.19
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Auralia 3 Student Edition
Avira AntiVir Personal - Free Antivirus
Baldur's Gate(TM) II - Throne of Bhaal (TM)
Battlefield 2(TM)
Battlefield 2: Special Forces
Battlefield 2142
BZFlag 2.0.10 (remove only)
Cakewalk VST Adapter 4.5.1.0
CDRWIN
Chessmaster Grandmaster Edition
Counter-Strike: Source
dBpoweramp DSP Effects
dBpoweramp Music Converter
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DreamStation DXi2
DVD Decrypter (Remove Only)
Echo 3G
EVGA Display Driver
Exact Audio Copy 0.95b4
ffdshow [rev 1723] [2007-12-24]
FLAC 1.2.1b (remove only)
GoldWave v5.25
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB932716-v2)
iConcertCal
ICQ6
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7
Just Great Software EditPad Lite 6.4.3
Left 4 Dead
LucasArts' TIE Fighter
Malwarebytes' Anti-Malware
MediaMonkey 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft WinUsb 1.0
Midisport 4x4 1.0.1.0
Mozilla Firefox (3.0.1)
Mp3tag v2.42
MSXML 6.0 Parser (KB933579)
Nero OEM
NVIDIA Drivers
Oblivion
Oblivion - BTmod 2.20
Oblivion - Horse Armor Pack
Oblivion - Knights of the Nine
Oblivion - Mehrunes Razor
Oblivion - Orrery
Oblivion - Spell Tomes
Oblivion - The Fighter's Stronghold
Oblivion - Thieves Den
Oblivion - Vile Lair
Oblivion - Wizard's Tower
oggcodecs 0.71.0946
Portal
Quake III Arena
Quake III Arena Point Release 1.32
QuickTime
Realtek AC'97 Audio
Renamer 1.1
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Series II MIDI
SONAR 5 Producer Edition
SpeechRedist
Star Wars Jedi Knight Jedi Academy
Star Wars JK II Jedi Outcast
Starcraft
Steam
System Requirements Lab
Team Fortress 2
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Basic 2007
TVersity Codec Pack 1.2
TVersity Media Server 1.0.0.5 RC3
Unreal Anthology
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Ventrilo Client
WexTech AnswerWorks
Winamp (remove only)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XnView 1.95.2
X-Wing & TIE Fighter 95 Compatibility Fix
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm
Top

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » April 29th, 2009, 4:22 am

ello

thanks for removing bittorrent

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
c:\windows\system32\vovugesi.exe
c:\windows\system32\tiwunino.exe

FCOPY::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\ServicePackFiles\i386\termsrv.dll


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.


  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

      O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space

    O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

:Clean temp files:

    Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

    Under Main choose:
      Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Prefetch
      Java Cache
      *The other boxes are optional*
      Then click the Empty Selected button.
    if you use Firefox:
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    if you use Opera:
      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program

Update Java

Download the latest version of JRE 6 Update 13.

  • Scroll down to where it says "JRE 6 Update 13".
  • Click the "Download" button to the right.
  • Select your Platform (windows) and check the box that says: "Java SE Runtime Environment 6 with JavaFX License Agreement .".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.
Please download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.
  • Click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a log file has been produced. Click OK.
  • A log file will pop up. Please save it to a convenient location.
:Kaspersky scan:

    Please go to Kaspersky website and perform an online antivirus scan.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.

:information and logs:

    In your next post I need the following

      1.log from kaspersky
      2.new log from hijackthis
      3.log from combofix
      4.how is the computer doing now?

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » April 30th, 2009, 9:57 am

Kaspersky Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 30, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 23:15:23
Records in database: 2101635
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 139396
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 03:15:12


File name / Threat name / Threats count
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\beep.sys.bac_a03612 Infected: Backdoor.Win32.UltimateDefender.a 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\karna.dat.bac_a03612 Infected: Backdoor.Win32.Small.gjm 1
C:\Documents and Settings\Jeff\.housecall6.6\Quarantine\svchost.exe.bac_a03612 Infected: Trojan.Win32.Agent.akdq 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-6918d4c8.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Jeff\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-44f8f638.zip Infected: Exploit.Java.Gimsh.b 1

The selected area was scanned.

HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49 AM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5231 bytes

ComboFix Log
ComboFix 09-04-29.01 - Jeff 04/29/2009 20:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.650 [GMT -5:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\tiwunino.exe
c:\windows\system32\vovugesi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tiwunino.exe
c:\windows\system32\vovugesi.exe

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-29 04:40 . 2009-04-29 04:43 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\program files\Avira
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-27 05:26 . 2009-04-27 05:26 -------- d-----w c:\program files\Trend Micro
2009-04-27 05:21 . 2008-10-22 01:04 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-27 04:51 . 2009-04-27 04:51 -------- d-----w C:\VundoFix Backups
2009-04-04 20:34 . 2009-04-04 20:34 -------- d-----w c:\documents and settings\Jeff\Local Settings\Application Data\Intuit
2009-04-04 20:33 . 2009-04-04 20:33 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 02:18 . 2007-12-01 02:00 -------- d-----w c:\program files\Steam
2009-04-28 01:50 . 2009-04-28 01:50 0 ----a-w c:\documents and settings\Jeff\ntuser.tmp
2009-04-27 02:44 . 2008-10-22 05:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2008-10-22 05:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-10-22 05:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 20:33 . 2006-10-31 04:53 72880 ----a-w c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 20:31 . 2007-04-14 16:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-04 20:29 . 2007-04-14 16:33 -------- d-----w c:\program files\TurboTax
2009-03-19 03:35 . 2008-07-03 03:42 -------- d-----w c:\program files\ICQ6
2009-03-17 17:09 . 2009-03-17 17:09 6 ----a-w c:\windows\Fonts\wfonts.key
2009-02-09 01:01 . 2007-05-18 03:33 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-09 01:01 . 2007-05-18 03:33 201352 ----a-w c:\windows\system32\PnkBstrB.exe
.

------- Sigcheck -------

[-] 2002-08-29 12:00 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-10-22 00:52 295424 40FFC19A8D4875E9E19CECDC76EF9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-28_06.12.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-04-29 04:40 . 2009-02-13 16:50 28376 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-04-29 04:40 . 2009-04-29 04:43 96104 c:\windows\system32\drivers\avipbb.sys
+ 2009-04-29 04:40 . 2009-02-13 16:29 22360 c:\windows\system32\drivers\avgntmgr.sys
+ 2009-04-29 04:40 . 2009-02-13 16:17 45416 c:\windows\system32\drivers\avgntdd.sys
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2002-08-29 12:00 . 2004-08-04 07:56 502272 c:\windows\system32\dllcache\winlogon.exe
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-06-21 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave7"= Echo3GWrap.dll
"Midi1"= usbmn4x4.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Unreal Anthology\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzfs.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"41952:TCP"= 41952:TCP:TVersity 01
"41952:UDP"= 41952:UDP:TVersity 02
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

R0 FGXSCSI;FGXSCSI; [x]
R3 USB44LDR;M-Audio USB MIDISPORT 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2007-11-14 23080]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
S3 echo3g;Echo3G Service;c:\windows\system32\drivers\echo3g.sys [2006-08-17 221696]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2008-01-06 22304]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\dtklt8bm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://malwareremoval.com/forum/viewforum.php?f=11
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 20:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-30 20:59
ComboFix-quarantined-files.txt 2009-04-30 01:58
ComboFix2.txt 2009-04-28 06:15

Pre-Run: 13,082,783,744 bytes free
Post-Run: 13,111,832,576 bytes free

174 --- E O F --- 2008-07-09 08:00

Computer Status
I haven't noticed any symptoms since I followed the directions to your first reply, other than seeing a warning / error message on boot up, and that was only once. (The error message was something about a .dll file. Unfortunately, I don't remember.) So, it appears to be running fine for now, though there are obviously still some infected files.
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm
Top

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » May 1st, 2009, 4:33 pm

Hello

This will clear out the infection in your Java cache

    go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache
      - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

looks like I made a mistake with the combofix script before so please run this again

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
FCOPY::
c:\windows\ServicePackFiles\i386\termsrv.dll | c:\windows\system32\termsrv.dll


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

let me have the log from combofix and then we should finish soon

gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » May 1st, 2009, 5:45 pm

I cleared out the Java cache as instructed.

ComboFix Log:
ComboFix 09-05-02.3 - Jeff 05/01/2009 16:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.629 [GMT -5:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-30 02:06 . 2009-04-30 02:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 04:40 . 2009-04-29 04:43 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\program files\Avira
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-27 05:26 . 2009-04-27 05:26 -------- d-----w c:\program files\Trend Micro
2009-04-27 05:21 . 2008-10-22 01:04 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-27 04:51 . 2009-04-27 04:51 -------- d-----w C:\VundoFix Backups
2009-04-04 20:34 . 2009-04-04 20:34 -------- d-----w c:\documents and settings\Jeff\Local Settings\Application Data\Intuit
2009-04-04 20:33 . 2009-04-04 20:33 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 21:39 . 2006-10-31 03:16 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-30 04:32 . 2007-07-04 16:29 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-30 02:09 . 2006-10-31 05:44 -------- d-----w c:\program files\Java
2009-04-28 02:18 . 2007-12-01 02:00 -------- d-----w c:\program files\Steam
2009-04-28 01:50 . 2009-04-28 01:50 0 ----a-w c:\documents and settings\Jeff\ntuser.tmp
2009-04-27 02:44 . 2008-10-22 05:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2008-10-22 05:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-10-22 05:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 20:33 . 2006-10-31 04:53 72880 ----a-w c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 20:31 . 2007-04-14 16:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-04 20:29 . 2007-04-14 16:33 -------- d-----w c:\program files\TurboTax
2009-03-19 03:35 . 2008-07-03 03:42 -------- d-----w c:\program files\ICQ6
2009-03-17 17:09 . 2009-03-17 17:09 6 ----a-w c:\windows\Fonts\wfonts.key
2009-02-09 01:01 . 2007-05-18 03:33 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-09 01:01 . 2007-05-18 03:33 201352 ----a-w c:\windows\system32\PnkBstrB.exe
.

------- Sigcheck -------

[-] 2002-08-29 12:00 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-10-22 00:52 295424 40FFC19A8D4875E9E19CECDC76EF9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-28_06.12.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-05-01 18:34 . 2009-05-01 18:34 16384 c:\windows\temp\Perflib_Perfdata_26c.dat
+ 2009-04-29 04:40 . 2009-02-13 16:50 28376 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-04-29 04:40 . 2009-04-29 04:43 96104 c:\windows\system32\drivers\avipbb.sys
+ 2009-04-29 04:40 . 2009-02-13 16:29 22360 c:\windows\system32\drivers\avgntmgr.sys
+ 2009-04-29 04:40 . 2009-02-13 16:17 45416 c:\windows\system32\drivers\avgntdd.sys
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
- 2002-08-29 12:00 . 2008-10-22 00:52 502272 c:\windows\system32\winlogon.exe
+ 2002-08-29 12:00 . 2004-08-04 07:56 502272 c:\windows\system32\winlogon.exe
+ 2009-04-30 02:06 . 2009-04-30 02:06 148888 c:\windows\system32\javaws.exe
+ 2009-04-30 02:06 . 2009-04-30 02:06 144792 c:\windows\system32\javaw.exe
+ 2009-04-30 02:06 . 2009-04-30 02:06 144792 c:\windows\system32\java.exe
+ 2002-08-29 12:00 . 2004-08-04 07:56 502272 c:\windows\system32\dllcache\winlogon.exe
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-30 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-06-21 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave7"= Echo3GWrap.dll
"Midi1"= usbmn4x4.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Unreal Anthology\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzfs.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"41952:TCP"= 41952:TCP:TVersity 01
"41952:UDP"= 41952:UDP:TVersity 02
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

R0 FGXSCSI;FGXSCSI; [x]
R3 USB44LDR;M-Audio USB MIDISPORT 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2007-11-14 23080]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
S3 echo3g;Echo3G Service;c:\windows\system32\drivers\echo3g.sys [2006-08-17 221696]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2008-01-06 22304]

.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\dtklt8bm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://malwareremoval.com/forum/viewforum.php?f=11
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 16:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3240)
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\program files\Illustrate\dBpoweramp\dBShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-01 16:43
ComboFix-quarantined-files.txt 2009-05-01 21:43
ComboFix2.txt 2009-04-30 01:59
ComboFix3.txt 2009-04-28 06:15

Pre-Run: 13,021,265,920 bytes free
Post-Run: 13,083,815,936 bytes free

182 --- E O F --- 2008-07-09 08:00
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm
Top

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » May 1st, 2009, 7:24 pm

Hello Fletch101

System Look:

Please download System Look from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:filefind
termsrv.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

please let me have the log it creates

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » May 1st, 2009, 8:44 pm

SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 19:41 on 01/05/2009 by Jeff (Administrator - Elevation successful)

========== filefind ==========

Searching for "termsrv.dll"
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll -----c 200192 bytes [04:16 01/11/2006] [12:00 29/08/2002] FE84E045A09A4ABC4DEEF7270448B64E
C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [03:13 31/10/2006] [00:52 22/10/2008] 40FFC19A8D4875E9E19CECDC76EF9201

-=End Of File=-
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm
Top

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » May 2nd, 2009, 7:18 am

Hello Fletch101

I would like you to download termsrv.dll from >here< and save it to your desktop ( needs to be on your desktop ok)

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
FCOPY::
%userprofile%\desktop\termsrv.dll | c:\windows\system32\termsrv.dll


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Let me have the combofix log please

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » May 2nd, 2009, 4:16 pm

- Copied termsrv.dll to desktop.
- Ran ComboFix with given script.

ComboFix Log:
ComboFix 09-05-02.3 - Jeff 05/02/2009 15:11.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.667 [GMT -5:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-30 02:06 . 2009-04-30 02:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 04:40 . 2009-04-29 04:43 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\program files\Avira
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-27 05:26 . 2009-04-27 05:26 -------- d-----w c:\program files\Trend Micro
2009-04-27 05:21 . 2008-10-22 01:04 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-27 04:51 . 2009-04-27 04:51 -------- d-----w C:\VundoFix Backups
2009-04-04 20:34 . 2009-04-04 20:34 -------- d-----w c:\documents and settings\Jeff\Local Settings\Application Data\Intuit
2009-04-04 20:33 . 2009-04-04 20:33 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 20:10 . 2006-10-31 03:16 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-30 04:32 . 2007-07-04 16:29 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-30 02:09 . 2006-10-31 05:44 -------- d-----w c:\program files\Java
2009-04-28 02:18 . 2007-12-01 02:00 -------- d-----w c:\program files\Steam
2009-04-28 01:50 . 2009-04-28 01:50 0 ----a-w c:\documents and settings\Jeff\ntuser.tmp
2009-04-27 02:44 . 2008-10-22 05:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2008-10-22 05:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-10-22 05:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 20:33 . 2006-10-31 04:53 72880 ----a-w c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 20:31 . 2007-04-14 16:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-04 20:29 . 2007-04-14 16:33 -------- d-----w c:\program files\TurboTax
2009-03-19 03:35 . 2008-07-03 03:42 -------- d-----w c:\program files\ICQ6
2009-03-17 17:09 . 2009-03-17 17:09 6 ----a-w c:\windows\Fonts\wfonts.key
2009-02-09 01:01 . 2007-05-18 03:33 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-09 01:01 . 2007-05-18 03:33 201352 ----a-w c:\windows\system32\PnkBstrB.exe
.

------- Sigcheck -------

[-] 2002-08-29 12:00 200192 FE84E045A09A4ABC4DEEF7270448B64E c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-10-22 00:52 295424 40FFC19A8D4875E9E19CECDC76EF9201 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-05-01_21.42.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 20:04 . 2009-05-02 20:04 16384 c:\windows\temp\Perflib_Perfdata_300.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-30 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-06-21 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave7"= Echo3GWrap.dll
"Midi1"= usbmn4x4.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Unreal Anthology\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzfs.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"41952:TCP"= 41952:TCP:TVersity 01
"41952:UDP"= 41952:UDP:TVersity 02
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

R0 FGXSCSI;FGXSCSI; [x]
R3 USB44LDR;M-Audio USB MIDISPORT 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2007-11-14 23080]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
S3 echo3g;Echo3G Service;c:\windows\system32\drivers\echo3g.sys [2006-08-17 221696]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2008-01-06 22304]

.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\dtklt8bm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 15:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1404)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-02 15:14
ComboFix-quarantined-files.txt 2009-05-02 20:14
ComboFix2.txt 2009-05-01 21:43
ComboFix3.txt 2009-04-30 01:59
ComboFix4.txt 2009-04-28 06:15

Pre-Run: 13,094,649,856 bytes free
Post-Run: 13,087,895,552 bytes free

149 --- E O F --- 2008-07-09 08:00
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm
Top

Re: Problem with Vundo.H and possibly more.

Unread postby gringo_pr » May 2nd, 2009, 5:54 pm

Hello Fletch101

I am going to change the script a little and if this don't work I will get some help over here.

besides this little problem, the computer is still doing good?

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
FCOPY::
c:\documents and settings\Jeff\Desktop\termsrv.dll | c:\windows\system32\termsrv.dll


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Let me have the combofix log please

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico
Top

Re: Problem with Vundo.H and possibly more.

Unread postby Fletch101 » May 2nd, 2009, 6:19 pm

Gringo,

There were some infections that showed up when we ran the Kaspersky scan the other day and a few things that MBAM has found (that I have not fixed - scan only) that I am anxious to get rid of. Other than that, the computer appears to be running ok. I am not getting any pop-ups and it seems to be running at normal speed. Here is the latest ComboFix log:

ComboFix 09-05-02.4 - Jeff 05/02/2009 17:13.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.646 [GMT -5:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\documents and settings\Jeff\Desktop\termsrv.dll --> c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-30 02:06 . 2009-04-30 02:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-29 04:40 . 2009-04-29 04:43 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\program files\Avira
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-27 05:26 . 2009-04-27 05:26 -------- d-----w c:\program files\Trend Micro
2009-04-27 05:21 . 2008-10-22 01:04 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-27 04:51 . 2009-04-27 04:51 -------- d-----w C:\VundoFix Backups
2009-04-04 20:34 . 2009-04-04 20:34 -------- d-----w c:\documents and settings\Jeff\Local Settings\Application Data\Intuit
2009-04-04 20:33 . 2009-04-04 20:33 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 22:13 . 2006-10-31 03:16 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 20:06 . 2006-10-31 03:13 295424 ----a-w c:\windows\system32\termsrv.dll
2009-04-30 04:32 . 2007-07-04 16:29 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-30 02:09 . 2006-10-31 05:44 -------- d-----w c:\program files\Java
2009-04-28 02:18 . 2007-12-01 02:00 -------- d-----w c:\program files\Steam
2009-04-28 01:50 . 2009-04-28 01:50 0 ----a-w c:\documents and settings\Jeff\ntuser.tmp
2009-04-27 02:44 . 2008-10-22 05:52 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2008-10-22 05:52 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-10-22 05:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-04 20:33 . 2006-10-31 04:53 72880 ----a-w c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 20:31 . 2007-04-14 16:34 -------- d-----w c:\program files\Common Files\Intuit
2009-04-04 20:29 . 2007-04-14 16:33 -------- d-----w c:\program files\TurboTax
2009-03-19 03:35 . 2008-07-03 03:42 -------- d-----w c:\program files\ICQ6
2009-03-17 17:09 . 2009-03-17 17:09 6 ----a-w c:\windows\Fonts\wfonts.key
2009-02-09 01:01 . 2007-05-18 03:33 140216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-09 01:01 . 2007-05-18 03:33 201352 ----a-w c:\windows\system32\PnkBstrB.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-05-01_21.42.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 20:04 . 2009-05-02 20:04 16384 c:\windows\temp\Perflib_Perfdata_300.dat
+ 2006-10-31 03:13 . 2009-05-02 20:06 295424 c:\windows\system32\dllcache\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-30 148888]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-06-21 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave7"= Echo3GWrap.dll
"Midi1"= usbmn4x4.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Unreal Anthology\\UT2004\\System\\UT2004.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\fletch_101\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzfs.exe"=
"c:\\Program Files\\BZFlag2.0.10\\bzflag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"41952:TCP"= 41952:TCP:TVersity 01
"41952:UDP"= 41952:UDP:TVersity 02
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

R0 FGXSCSI;FGXSCSI; [x]
R3 USB44LDR;M-Audio USB MIDISPORT 4x4 Loader;c:\windows\system32\drivers\usb44ldr.sys [2007-11-14 23080]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-29 108289]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]
S3 echo3g;Echo3G Service;c:\windows\system32\drivers\echo3g.sys [2006-08-17 221696]
S3 USBMN4X4;M-Audio USB MidiSport 4x4;c:\windows\system32\drivers\usbmn4x4.sys [2008-01-06 22304]

.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\dtklt8bm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 17:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2380)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-02 17:15
ComboFix-quarantined-files.txt 2009-05-02 22:15
ComboFix2.txt 2009-05-02 20:14
ComboFix3.txt 2009-05-01 21:43
ComboFix4.txt 2009-04-30 01:59
ComboFix5.txt 2009-05-02 22:13

Pre-Run: 13,080,489,984 bytes free
Post-Run: 13,073,559,552 bytes free

154 --- E O F --- 2008-07-09 08:00
Fletch101
Active Member
 
Posts: 12
Joined: April 27th, 2009, 10:34 pm
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 116 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index