Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Vundo infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Vundo infection

Unread postby Cazper » January 16th, 2008, 8:46 pm

I've got a nasty version of Vundo. I have run the latest Vundofix with only one file remaining jkkhhgf.dll

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:55 PM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\135050f7.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
C:\WINDOWS\system32\AEAAAFAAABADB2.exe
C:\WINDOWS\system32\135050f7 .exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\??sks\??plorer.exe
C:\WINDOWS\Y2FzcGVy\command.exe
C:\PROGRA~1\COMMON~1\wffu\wffum.exe
C:\Program Files\Words\Words.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\COMMON~1\wffu\wffum .exe
C:\Program Files\Words\Words .exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\COMMON~1\wffu\wffua.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mozilla2\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd .exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\mljgh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [135050f7.exe] C:\WINDOWS\system32\135050f7.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINDOWS\system32\psc_mon.exe
O4 - HKLM\..\Run: [cxsoyt.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\cxsoyt.dll,nfucede
O4 - HKLM\..\Run: [duowkse.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\duowkse.dll,ojhwwr
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [107d5b51] rundll32.exe "C:\WINDOWS\system32\wycvqsxp.dll",b
O4 - HKLM\..\Run: [A7A3A8A3A4A6ABAD] AEAAAFAAABADB2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [135050f7.exe] C:\Documents and Settings\casper\Local Settings\Application Data\135050f7.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Cawb] "C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Zqsfrxlm] "C:\Program Files\??sks\??plorer.exe"
O4 - HKCU\..\Run: [wffu] C:\PROGRA~1\COMMON~1\wffu\wffum .exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2FzcGVy\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5617 bytes
Cazper
Active Member
 
Posts: 13
Joined: January 16th, 2008, 8:41 pm
Advertisement
Register to Remove

Re: Vundo infection

Unread postby Shaba » January 22nd, 2008, 7:21 am

Hi Cazper

Rename HijackThis.exe to Cazper.exe and post back a fresh HijackThis log, please :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Vundo infection

Unread postby Cazper » January 22nd, 2008, 7:27 pm

new log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:16 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\135050f7.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\AEAAAFAAABADB2.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\??sks\??plorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
C:\WINDOWS\system32\135050f7 .exe
C:\PROGRA~1\COMMON~1\wffu\wffum.exe
C:\Program Files\Words\Words.exe
C:\Program Files\QuickTime\qttask .exe
C:\PROGRA~1\COMMON~1\wffu\wffum .exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Words\Words .exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\mozilla2\firefox.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\Program Files\Trend Micro\HijackThis\Cazper.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljh.exe
O2 - BHO: (no name) - {0240BFB3-314E-4302-C2AB-065895ADA8BF} - C:\WINDOWS\system32\ilodcpj.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1263500D-A74A-6CBB-112C-081B26870334} - C:\WINDOWS\system32\krdytkh.dll
O2 - BHO: (no name) - {13BC5059-82C4-4D6D-874A-86ADA1D53BF2} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {2C1E58F7-F933-94A4-58F8-09275BB7F296} - C:\WINDOWS\system32\ixjmfxm.dll (file missing)
O2 - BHO: (no name) - {35A6762D-F653-F20E-BF92-05C7FE0DA4A3} - C:\WINDOWS\system32\dslvng.dll
O2 - BHO: {38a57713-8f6e-1c9b-8cc4-03f32652df55} - {55fd2562-3f30-4cc8-b9c1-e6f831775a83} - C:\WINDOWS\system32\wnixvtim.dll (file missing)
O2 - BHO: (no name) - {64FBAD1C-0CEC-4A40-9064-4684295B0798} - C:\WINDOWS\system32\mlljh.dll
O2 - BHO: (no name) - {6AD20970-6618-218E-81CE-07F69CD2D9FD} - C:\WINDOWS\system32\hxmdmvi.dll (file missing)
O2 - BHO: (no name) - {6E79029A-2D07-6D8C-5BD3-05E9C79CD4A3} - C:\WINDOWS\system32\wcumsag.dll
O2 - BHO: (no name) - {7044F421-CFCD-97F1-A1F1-08EB1FB65A10} - C:\WINDOWS\system32\gwempsc.dll
O2 - BHO: (no name) - {71009E1F-6EBF-65F7-FEED-05B5C25FD8E9} - C:\WINDOWS\system32\xsmdqcj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {97FFFB35-178F-6878-D82D-3BE607810CB0} - (no file)
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\jkkhhgf.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [135050f7.exe] C:\WINDOWS\system32\135050f7.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINDOWS\system32\psc_mon.exe
O4 - HKLM\..\Run: [cxsoyt.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\cxsoyt.dll,nfucede
O4 - HKLM\..\Run: [duowkse.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\duowkse.dll,ojhwwr
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [107d5b51] rundll32.exe "C:\WINDOWS\system32\wycvqsxp.dll",b
O4 - HKLM\..\Run: [A7A3A8A3A4A6ABAD] AEAAAFAAABADB2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [135050f7.exe] C:\Documents and Settings\casper\Local Settings\Application Data\135050f7.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Cawb] "C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Zqsfrxlm] "C:\Program Files\??sks\??plorer.exe"
O4 - HKCU\..\Run: [wffu] C:\PROGRA~1\COMMON~1\wffu\wffum .exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Y2FzcGVy\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7044 bytes
Cazper
Active Member
 
Posts: 13
Joined: January 16th, 2008, 8:41 pm

Re: Vundo infection

Unread postby Shaba » January 23rd, 2008, 5:39 am

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Vundo infection

Unread postby Cazper » January 23rd, 2008, 8:46 pm

I also get an error after startup of windows "Specified module could not be found wycvqsxp.dll"


ComboFix 08-01-23.2 - casper 2008-01-23 18:34:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1630 [GMT -6:00]
Running from: C:\Documents and Settings\casper\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\casper\Application Data\SSTEM~1
C:\Documents and Settings\casper\Application Data\SSTEM~1\cmd .exe
C:\Documents and Settings\casper\Application Data\SSTEM~1\cmd.exe
C:\Documents and Settings\casper\Application Data\SSTEM~1\s?stem\
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7 .exe
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7.exe
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Register UltimateCleaner 2007.lnk
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Start UltimateCleaner 2007.lnk
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Uninstall UltimateCleaner 2007.lnk
C:\PROGRA~1\COMMON~1\wffu\wffum .exe
C:\Program Files\Common Files\wffu
C:\Program Files\Common Files\wffu\wffua.lck
C:\Program Files\Common Files\wffu\wffud\class-barrel
C:\Program Files\Common Files\wffu\wffud\vocabulary
C:\Program Files\Common Files\wffu\wffud\wffuc.dll
C:\Program Files\Common Files\wffu\wfful.exe
C:\Program Files\Common Files\wffu\wfful.lck
C:\Program Files\Common Files\wffu\wffum .exe
C:\Program Files\Common Files\wffu\wffum.exe
C:\Program Files\Common Files\wffu\wffum.lck
C:\Program Files\Common Files\wffu\wffup.exe
C:\Program Files\ComPlus Applications\nixyheqix455101.dll
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB .EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\inetget2
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\outerinfo
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\sks~1
C:\Program Files\sks~1\??plorer.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words .exe
C:\Program Files\Words\Words.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\135050f7 .exe
C:\WINDOWS\system32\135050f7.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljgh.exe
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.exe
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX3E.tmp
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\wffu
C:\WINDOWS\wffu\wffu.dat
C:\WINDOWS\wffu\wu
C:\WINDOWS\Y2FzcGVy\
C:\WINDOWS\Y2FzcGVy\\asappsrv.dll
C:\WINDOWS\Y2FzcGVy\\sZIWw3pV.vbs

Code: Select all
 <pre>
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7 .exe ---> QooBox
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB .EXE ---> QooBox
C:\Program Files\Dot1XCfg\Dot1XCfg .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe ---> QooBox
C:\Program Files\MSN Messenger\MsnMsgr .Exe ---> QooBox
C:\Program Files\Words\Words .exe ---> QooBox
C:\WINDOWS\system32\135050f7 .exe ---> QooBox
</pre> 

.
----- BITS: Possible infected sites -----

hxxp://80.93.59.108

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 18:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-16 18:29 . 2008-01-16 18:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 18:14 . 2008-01-16 18:11 <DIR> d-------- C:\VundoFix Backups
2008-01-14 15:36 . 2008-01-14 15:36 <DIR> d-------- C:\WINDOWS\system32\99959A9596989D
2008-01-14 15:36 . 2007-12-14 06:40 120,832 --a------ C:\WINDOWS\system32\AEAAAFAAABADB2.exe
2008-01-14 15:28 . 2008-01-14 15:29 1,056,976 --ahs---- C:\WINDOWS\system32\pxsqvcyw.ini
2008-01-14 15:23 . 2008-01-14 15:23 1,056,916 --ahs---- C:\WINDOWS\system32\npsxvblx.ini
2008-01-14 15:06 . 2008-01-14 15:17 221,184 --a------ C:\WINDOWS\system32\psc_mon .exe
2008-01-13 17:28 . 2008-01-14 17:07 357 --a------ C:\WINDOWS\wininit.ini
2008-01-13 12:48 . 2008-01-23 18:38 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-13 12:44 . 2008-01-14 15:16 380,928 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-01-13 12:43 . 2008-01-13 12:43 6,144 --a------ C:\info.exe
2008-01-10 18:29 . 2008-01-10 18:29 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-08 18:33 . 2008-01-08 18:34 38 --a------ C:\WINDOWS\avisplitter.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 00:38 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:38 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 00:38 --------- d-----w C:\Program Files\iTunes
2008-01-24 00:31 --------- d-----w C:\Program Files\mozilla2
2008-01-17 02:02 --------- d-s---w C:\Program Files\Xfire
2008-01-14 01:44 --------- d-----w C:\Program Files\Steam
2007-12-30 16:17 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-17 19:12 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-17 19:10 --------- d-----w C:\Program Files\DivX
2007-12-15 20:40 --------- d-----w C:\Program Files\Winamp
2007-12-11 21:32 --------- d-----w C:\Program Files\Realtek AC97
2007-12-11 20:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-11 20:42 --------- d-----w C:\Program Files\Activision
2007-12-11 16:41 --------- d-----w C:\Program Files\Ventrilo
2007-12-11 16:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
1998-08-24 18:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.
Code: Select all
<pre>
----a-w           221,184 2008-01-14 21:17:34  C:\WINDOWS\system32\psc_mon .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0240BFB3-314E-4302-C2AB-065895ADA8BF}]
2007-03-27 19:38 64000 --a------ C:\WINDOWS\system32\ilodcpj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1263500D-A74A-6CBB-112C-081B26870334}]
2007-02-01 18:59 71680 --a------ C:\WINDOWS\system32\krdytkh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13BC5059-82C4-4D6D-874A-86ADA1D53BF2}]
C:\WINDOWS\system32\awtss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C1E58F7-F933-94A4-58F8-09275BB7F296}]
C:\WINDOWS\system32\ixjmfxm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35A6762D-F653-F20E-BF92-05C7FE0DA4A3}]
2007-02-02 15:44 71680 --a------ C:\WINDOWS\system32\dslvng.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55fd2562-3f30-4cc8-b9c1-e6f831775a83}]
C:\WINDOWS\system32\wnixvtim.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AD20970-6618-218E-81CE-07F69CD2D9FD}]
C:\WINDOWS\system32\hxmdmvi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E79029A-2D07-6D8C-5BD3-05E9C79CD4A3}]
2007-01-31 16:47 71168 --a------ C:\WINDOWS\system32\wcumsag.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7044F421-CFCD-97F1-A1F1-08EB1FB65A10}]
2007-04-10 16:17 64000 --a------ C:\WINDOWS\system32\gwempsc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71009E1F-6EBF-65F7-FEED-05B5C25FD8E9}]
2007-02-06 15:58 71168 --a------ C:\WINDOWS\system32\xsmdqcj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"135050f7.exe"="C:\Documents and Settings\casper\Local Settings\Application Data\135050f7.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]
"Cawb"="C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe" [ ]
"Zqsfrxlm"="C:\Program Files\??sks\??plorer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [ ]
"Creative Launcher"="C:\Program Files\Creative\Launcher\CTLauncher.exe" [ ]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"135050f7.exe"="C:\WINDOWS\system32\135050f7.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"Personal Security Center Monitor"="C:\WINDOWS\system32\psc_mon.exe" [ ]
"cxsoyt.dll"="C:\WINDOWS\system32\cxsoyt.dll" [2007-02-05 23:02 58880]
"duowkse.dll"="C:\WINDOWS\system32\duowkse.dll" [2007-03-27 19:38 87552]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
"107d5b51"="C:\WINDOWS\system32\wycvqsxp.dll" [ ]
"A7A3A8A3A4A6ABAD"="AEAAAFAAABADB2.exe" [2007-12-14 06:40 120832 C:\WINDOWS\system32\AEAAAFAAABADB2.exe]

C:\Documents and Settings\casper\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-01-10 18:29:50 2872144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmx4xm.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmx4xt.sys]
@="Driver"

R1 mmx4xm;MMX virtualization service;C:\WINDOWS\system32\mmx4xm.sys [2002-08-28 21:41]
S2 mmx4xt;MMX2 virtualization service;C:\WINDOWS\system32\mmx4xm.sys [2002-08-28 21:41]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 12:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{503eea5e-5574-11da-95eb-000fea32f1aa}]
\Shell\AutoRun\command - H:\Autorun.exe

*Newly Created Service* - HTTPFILTER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 18:41:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\mmx4xm.sys 21904 bytes executable
C:\WINDOWS\system32\mmx4xt.dll 41333 bytes executable
C:\WINDOWS\system32\klgcptini.dat 0 bytes
C:\WINDOWS\system32\stt82.ini 320 bytes
C:\WINDOWS\system32\qz.dll 41333 bytes executable
C:\WINDOWS\system32\qz.sys 21904 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************
.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\AEAAAFAAABADB2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mozilla2\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Cazper.exe

O2 - BHO: (no name) - {0240BFB3-314E-4302-C2AB-065895ADA8BF} - C:\WINDOWS\system32\ilodcpj.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1263500D-A74A-6CBB-112C-081B26870334} - C:\WINDOWS\system32\krdytkh.dll
O2 - BHO: (no name) - {13BC5059-82C4-4D6D-874A-86ADA1D53BF2} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {2C1E58F7-F933-94A4-58F8-09275BB7F296} - C:\WINDOWS\system32\ixjmfxm.dll (file missing)
O2 - BHO: (no name) - {35A6762D-F653-F20E-BF92-05C7FE0DA4A3} - C:\WINDOWS\system32\dslvng.dll
O2 - BHO: {38a57713-8f6e-1c9b-8cc4-03f32652df55} - {55fd2562-3f30-4cc8-b9c1-e6f831775a83} - C:\WINDOWS\system32\wnixvtim.dll (file missing)
O2 - BHO: (no name) - {6AD20970-6618-218E-81CE-07F69CD2D9FD} - C:\WINDOWS\system32\hxmdmvi.dll (file missing)
O2 - BHO: (no name) - {6E79029A-2D07-6D8C-5BD3-05E9C79CD4A3} - C:\WINDOWS\system32\wcumsag.dll
O2 - BHO: (no name) - {7044F421-CFCD-97F1-A1F1-08EB1FB65A10} - C:\WINDOWS\system32\gwempsc.dll
O2 - BHO: (no name) - {71009E1F-6EBF-65F7-FEED-05B5C25FD8E9} - C:\WINDOWS\system32\xsmdqcj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [135050f7.exe] C:\WINDOWS\system32\135050f7.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINDOWS\system32\psc_mon.exe
O4 - HKLM\..\Run: [cxsoyt.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\cxsoyt.dll,nfucede
O4 - HKLM\..\Run: [duowkse.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\duowkse.dll,ojhwwr
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [107d5b51] rundll32.exe "C:\WINDOWS\system32\wycvqsxp.dll",b
O4 - HKLM\..\Run: [A7A3A8A3A4A6ABAD] AEAAAFAAABADB2.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [135050f7.exe] C:\Documents and Settings\casper\Local Settings\Application Data\135050f7.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [Cawb] "C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [Zqsfrxlm] "C:\Program Files\??sks\??plorer.exe"
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5317 bytes
Cazper
Active Member
 
Posts: 13
Joined: January 16th, 2008, 8:41 pm

Re: Vundo infection

Unread postby Shaba » January 24th, 2008, 4:55 am

Hi

Yes, that is due to one bad file missing.

We'll fix that next.

You may need to re-install certain startup programs as they were infected and deleted.

However, don't do it now.

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
Rootkit::
C:\WINDOWS\system32\mmx4xm.sys 
C:\WINDOWS\system32\mmx4xt.dll 
C:\WINDOWS\system32\klgcptini.dat 
C:\WINDOWS\system32\stt82.ini 
C:\WINDOWS\system32\qz.dll 
C:\WINDOWS\system32\qz.sys 

File::
C:\WINDOWS\system32\AEAAAFAAABADB2.exe
C:\WINDOWS\system32\pxsqvcyw.ini
C:\WINDOWS\system32\npsxvblx.ini
C:\WINDOWS\system32\psc_mon .exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\info.exe

Driver::
mmx4xm
mmx4xt

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0240BFB3-314E-4302-C2AB-065895ADA8BF}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1263500D-A74A-6CBB-112C-081B26870334}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13BC5059-82C4-4D6D-874A-86ADA1D53BF2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C1E58F7-F933-94A4-58F8-09275BB7F296}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35A6762D-F653-F20E-BF92-05C7FE0DA4A3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55fd2562-3f30-4cc8-b9c1-e6f831775a83}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AD20970-6618-218E-81CE-07F69CD2D9FD}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6E79029A-2D07-6D8C-5BD3-05E9C79CD4A3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7044F421-CFCD-97F1-A1F1-08EB1FB65A10}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71009E1F-6EBF-65F7-FEED-05B5C25FD8E9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"135050f7.exe"=-
"Cawb"=-
"Zqsfrxlm"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"135050f7.exe"=-
"Personal Security Center Monitor"=-
"cxsoyt.dll"=-
"duowkse.dll"=-
"107d5b51"=-
"A7A3A8A3A4A6ABAD"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Vundo infection

Unread postby Cazper » January 24th, 2008, 7:16 pm

ComboFix 08-01-23.2 - casper 2008-01-24 17:05:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1664 [GMT -6:00]
Running from: C:\Documents and Settings\casper\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\casper\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\info.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\system32\AEAAAFAAABADB2.exe
C:\WINDOWS\system32\npsxvblx.ini
C:\WINDOWS\system32\psc_mon .exe
C:\WINDOWS\system32\pxsqvcyw.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\info.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\system32\AEAAAFAAABADB2.exe
C:\WINDOWS\system32\klgcptini.dat
C:\WINDOWS\system32\mmx4xm.sys
C:\WINDOWS\system32\mmx4xt.dll
C:\WINDOWS\system32\npsxvblx.ini
C:\WINDOWS\system32\psc_mon .exe
C:\WINDOWS\system32\pxsqvcyw.ini
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\system32\qz.sys
C:\WINDOWS\system32\stt82.ini
.
---- Previous Run -------
.
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\casper\Application Data\SSTEM~1
C:\Documents and Settings\casper\Application Data\SSTEM~1\cmd .exe
C:\Documents and Settings\casper\Application Data\SSTEM~1\cmd.exe
C:\Documents and Settings\casper\Application Data\SSTEM~1\s?stem\
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7 .exe
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7.exe
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Register UltimateCleaner 2007.lnk
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Start UltimateCleaner 2007.lnk
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Uninstall UltimateCleaner 2007.lnk
C:\PROGRA~1\COMMON~1\wffu\wffum .exe
C:\Program Files\Common Files\wffu
C:\Program Files\Common Files\wffu\wffua.lck
C:\Program Files\Common Files\wffu\wffud\class-barrel
C:\Program Files\Common Files\wffu\wffud\vocabulary
C:\Program Files\Common Files\wffu\wffud\wffuc.dll
C:\Program Files\Common Files\wffu\wfful.exe
C:\Program Files\Common Files\wffu\wfful.lck
C:\Program Files\Common Files\wffu\wffum .exe
C:\Program Files\Common Files\wffu\wffum.exe
C:\Program Files\Common Files\wffu\wffum.lck
C:\Program Files\Common Files\wffu\wffup.exe
C:\Program Files\ComPlus Applications\nixyheqix455101.dll
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB .EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\inetget2
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\outerinfo
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\sks~1
C:\Program Files\sks~1\??plorer.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words .exe
C:\Program Files\Words\Words.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\135050f7 .exe
C:\WINDOWS\system32\135050f7.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljgh.exe
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.exe
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX3E.tmp
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\wffu
C:\WINDOWS\wffu\wffu.dat
C:\WINDOWS\wffu\wu
C:\WINDOWS\Y2FzcGVy\
C:\WINDOWS\Y2FzcGVy\\asappsrv.dll
C:\WINDOWS\Y2FzcGVy\\sZIWw3pV.vbs

Code: Select all
 <pre>
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7 .exe ---> QooBox
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB .EXE ---> QooBox
C:\Program Files\Dot1XCfg\Dot1XCfg .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe ---> QooBox
C:\Program Files\MSN Messenger\MsnMsgr .Exe ---> QooBox
C:\Program Files\Words\Words .exe ---> QooBox
C:\WINDOWS\system32\135050f7 .exe ---> QooBox
</pre> 

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


-------\LEGACY_MMX4XM
-------\LEGACY_MMX4XT
-------\mmx4xm
-------\mmx4xt


((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 18:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-16 18:29 . 2008-01-16 18:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 18:14 . 2008-01-16 18:11 <DIR> d-------- C:\VundoFix Backups
2008-01-14 15:36 . 2008-01-14 15:36 <DIR> d-------- C:\WINDOWS\system32\99959A9596989D
2008-01-13 17:28 . 2008-01-14 17:07 357 --a------ C:\WINDOWS\wininit.ini
2008-01-13 12:48 . 2008-01-23 18:38 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-10 18:29 . 2008-01-10 18:29 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-08 18:33 . 2008-01-08 18:34 38 --a------ C:\WINDOWS\avisplitter.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 23:03 --------- d-----w C:\Program Files\mozilla2
2008-01-24 00:38 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:38 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 00:38 --------- d-----w C:\Program Files\iTunes
2008-01-17 02:02 --------- d-s---w C:\Program Files\Xfire
2008-01-14 01:44 --------- d-----w C:\Program Files\Steam
2007-12-30 16:17 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-17 19:12 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-17 19:10 --------- d-----w C:\Program Files\DivX
2007-12-15 20:40 --------- d-----w C:\Program Files\Winamp
2007-12-11 21:32 --------- d-----w C:\Program Files\Realtek AC97
2007-12-11 20:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-11 20:42 --------- d-----w C:\Program Files\Activision
2007-12-11 16:41 --------- d-----w C:\Program Files\Ventrilo
2007-12-11 16:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_18.43.09.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 00:33:30 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 23:05:31 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 00:33:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 23:05:31 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 00:33:30 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 23:05:31 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 00:33:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 23:05:31 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 00:33:30 3,629,056 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-24 23:05:31 3,629,056 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-24 00:33:31 98,304 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 23:05:31 98,304 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [ ]
"Creative Launcher"="C:\Program Files\Creative\Launcher\CTLauncher.exe" [ ]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\casper\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-01-10 18:29:50 2872144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmx4xm.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmx4xt.sys]
@="Driver"

S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 12:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{503eea5e-5574-11da-95eb-000fea32f1aa}]
\Shell\AutoRun\command - H:\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 17:11:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:14, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mozilla2\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Cazper.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 3368 bytes
Cazper
Active Member
 
Posts: 13
Joined: January 16th, 2008, 8:41 pm

Re: Vundo infection

Unread postby Shaba » January 25th, 2008, 5:03 am

Hi

I see no antivirus installed so that is the next step:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

You had also a keylogger so I highly recommend to do the following:

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Also, do you know what is inside this folder?

Post back a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Vundo infection

Unread postby Cazper » January 25th, 2008, 9:21 am

Antivirus installed.

as far as the question of "do you know what is inside this folder?"... you didnt list a folder.
So its not safe for me to update all of my passwords now from this comp?

fresh log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:19, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\mozilla2\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\Cazper.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 3921 bytes
Cazper
Active Member
 
Posts: 13
Joined: January 16th, 2008, 8:41 pm

Re: Vundo infection

Unread postby Shaba » January 25th, 2008, 12:58 pm

Hi

Oops I meant this folder -> C:\WINDOWS\system32\99959A9596989D :oops:

"So its not safe for me to update all of my passwords now from this comp?"

Rather from other known clean computer to play safe.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Vundo infection

Unread postby Cazper » January 28th, 2008, 3:40 pm

nope no idea whats in that folder
Cazper
Active Member
 
Posts: 13
Joined: January 16th, 2008, 8:41 pm

Re: Vundo infection

Unread postby Shaba » January 29th, 2008, 5:01 am

Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
DirLook::
C:\WINDOWS\system32\99959A9596989D


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Vundo infection

Unread postby Cazper » January 29th, 2008, 8:30 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27, on 2008-01-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Cazper.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 3848 bytes


ComboFix 08-01-23.2 - casper 2008-01-29 18:22:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1691 [GMT -6:00]
Running from: C:\Documents and Settings\casper\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\casper\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\casper\Application Data\SSTEM~1
C:\Documents and Settings\casper\Application Data\SSTEM~1\cmd .exe
C:\Documents and Settings\casper\Application Data\SSTEM~1\cmd.exe
C:\Documents and Settings\casper\Application Data\SSTEM~1\s?stem\
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7 .exe
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7.exe
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Register UltimateCleaner 2007.lnk
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Start UltimateCleaner 2007.lnk
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Uninstall UltimateCleaner 2007.lnk
C:\info.exe
C:\PROGRA~1\COMMON~1\wffu\wffum .exe
C:\Program Files\Common Files\wffu
C:\Program Files\Common Files\wffu\wffua.lck
C:\Program Files\Common Files\wffu\wffud\class-barrel
C:\Program Files\Common Files\wffu\wffud\vocabulary
C:\Program Files\Common Files\wffu\wffud\wffuc.dll
C:\Program Files\Common Files\wffu\wfful.exe
C:\Program Files\Common Files\wffu\wfful.lck
C:\Program Files\Common Files\wffu\wffum .exe
C:\Program Files\Common Files\wffu\wffum.exe
C:\Program Files\Common Files\wffu\wffum.lck
C:\Program Files\Common Files\wffu\wffup.exe
C:\Program Files\ComPlus Applications\nixyheqix455101.dll
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB .EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\inetget2
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\outerinfo
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\sks~1
C:\Program Files\sks~1\??plorer.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words .exe
C:\Program Files\Words\Words.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\system32\135050f7 .exe
C:\WINDOWS\system32\135050f7.exe
C:\WINDOWS\system32\AEAAAFAAABADB2.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljgh.exe
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.exe
C:\WINDOWS\system32\npsxvblx.ini
C:\WINDOWS\system32\psc_mon .exe
C:\WINDOWS\system32\pxsqvcyw.ini
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX3E.tmp
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\wffu
C:\WINDOWS\wffu\wffu.dat
C:\WINDOWS\wffu\wu
C:\WINDOWS\Y2FzcGVy\
C:\WINDOWS\Y2FzcGVy\\asappsrv.dll
C:\WINDOWS\Y2FzcGVy\\sZIWw3pV.vbs

Code: Select all
 <pre>
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7 .exe ---> QooBox
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB .EXE ---> QooBox
C:\Program Files\Dot1XCfg\Dot1XCfg .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe ---> QooBox
C:\Program Files\MSN Messenger\MsnMsgr .Exe ---> QooBox
C:\Program Files\Words\Words .exe ---> QooBox
C:\WINDOWS\system32\135050f7 .exe ---> QooBox
</pre> 

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


-------\LEGACY_MMX4XM
-------\LEGACY_MMX4XT
-------\mmx4xm
-------\mmx4xt




((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-25 07:15 . 2008-01-25 07:15 <DIR> d-------- C:\Program Files\Avira
2008-01-23 18:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-16 18:29 . 2008-01-16 18:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 18:14 . 2008-01-16 18:11 <DIR> d-------- C:\VundoFix Backups
2008-01-14 15:36 . 2008-01-14 15:36 <DIR> d-------- C:\WINDOWS\system32\99959A9596989D
2008-01-13 17:28 . 2008-01-14 17:07 357 --a------ C:\WINDOWS\wininit.ini
2008-01-13 12:48 . 2008-01-23 18:38 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-10 18:29 . 2008-01-10 18:29 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-08 18:33 . 2008-01-08 18:34 38 --a------ C:\WINDOWS\avisplitter.INI
2007-12-17 13:00 . 2007-12-17 13:12 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-17 13:00 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-12-17 13:00 . 2007-07-29 16:51 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-17 13:00 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-12-17 12:43 . 2007-12-11 16:34 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-12-17 12:43 . 2007-12-11 16:34 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-12-15 14:40 . 2007-12-11 16:34 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-12-15 14:40 . 2007-03-07 17:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-15 14:40 . 2007-03-07 17:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-14 09:30 . 2008-01-13 12:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-14 09:30 . 2007-12-14 09:30 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-11 22:00 . 2007-12-11 22:00 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-11 16:34 . 2007-12-11 16:34 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 16:34 . 2007-12-11 16:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 16:34 . 2007-12-11 16:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 16:33 . 2007-12-11 16:33 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 16:33 . 2007-12-11 16:33 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-12-11 16:33 . 2007-12-11 16:33 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-12-11 16:33 . 2007-12-11 16:33 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-12-11 16:33 . 2007-12-11 16:33 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-12-11 16:33 . 2007-12-11 16:33 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-12-11 16:33 . 2007-12-11 16:33 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-12-11 16:33 . 2007-12-11 16:33 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 16:33 . 2007-12-11 16:33 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-12-11 16:33 . 2007-12-11 16:33 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-12-11 16:32 . 2007-12-11 16:32 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-12-11 16:32 . 2007-12-11 16:32 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 15:32 . 2007-12-11 15:32 <DIR> d-------- C:\Program Files\Realtek AC97
2007-12-11 15:32 . 2006-12-08 15:20 10,528,768 -ra------ C:\WINDOWS\system32\RTLCPL.exe
2007-12-11 15:32 . 2007-04-16 15:28 577,536 -ra------ C:\WINDOWS\soun3365.rra
2007-12-11 15:32 . 2006-10-18 02:53 147,456 -ra------ C:\WINDOWS\system32\RtlCPAPI.dll
2007-12-11 15:32 . 2006-08-01 15:02 49,152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2007-12-11 15:00 . 2007-12-11 15:00 <DIR> d-------- C:\drivers
2007-12-11 14:42 . 2007-12-11 14:42 <DIR> d-------- C:\Program Files\Activision
2007-12-11 10:41 . 2007-12-11 10:41 <DIR> d-------- C:\Program Files\Ventrilo
2007-12-11 10:41 . 2007-12-11 10:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-11 09:43 . 2007-12-11 09:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 00:19 --------- d-----w C:\Program Files\mozilla2
2008-01-25 13:08 --------- d-s---w C:\Program Files\Xfire
2008-01-24 00:38 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:38 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 00:38 --------- d-----w C:\Program Files\iTunes
2008-01-14 01:44 --------- d-----w C:\Program Files\Steam
2007-12-30 16:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-30 16:17 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-30 16:17 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-17 19:10 --------- d-----w C:\Program Files\DivX
2007-12-15 20:40 --------- d-----w C:\Program Files\Winamp
2007-12-11 20:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\NVUninst.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvumctl.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvugart.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvuenet.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-10-04 23:14 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-10-04 23:14 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-10-04 23:14 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-10-04 23:14 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-10-04 23:14 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-10-04 23:14 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-10-04 23:14 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-10-04 23:14 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-10-04 23:14 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-10-04 23:14 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-10-04 23:14 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-10-04 23:14 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-10-04 23:14 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-10-04 23:14 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-10-04 23:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-04 23:14 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-10-04 23:14 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-10-04 23:14 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-10-04 23:14 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-10-04 23:14 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-10-04 23:14 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-10-04 23:14 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-10-04 23:14 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-10-04 23:14 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 23:14 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-10-04 23:14 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-10-04 23:14 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 23:14 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-10-04 23:14 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
1998-08-24 18:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\99959A9596989D ----

2008-01-24 17:02 58 --a------ C:\WINDOWS\system32\99959A9596989D\C7C3C8C3C4C6CB


((((((((((((((((((((((((((((( snapshot@2008-01-23_18.43.09.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 00:33:30 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-30 00:22:00 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 00:33:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-30 00:22:01 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 00:33:30 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-30 00:22:01 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 00:33:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-30 00:22:01 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 00:33:30 3,629,056 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-30 00:22:01 3,629,056 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-24 00:33:31 98,304 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-30 00:22:01 98,304 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2007-08-09 19:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2007-07-18 20:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-01-25 13:44:19 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 16:34:36 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [ ]
"Creative Launcher"="C:\Program Files\Creative\Launcher\CTLauncher.exe" [ ]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-25 07:44 249896]

C:\Documents and Settings\casper\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-01-10 18:29:50 2872144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmx4xm.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmx4xt.sys]
@="Driver"

S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 12:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{503eea5e-5574-11da-95eb-000fea32f1aa}]
\Shell\AutoRun\command - H:\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 18:26:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Cazper
Active Member
 
Posts: 13
Joined: January 16th, 2008, 8:41 pm

Re: Vundo infection

Unread postby Shaba » January 30th, 2008, 5:56 am

Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
Folder::
C:\WINDOWS\system32\99959A9596989D

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmx4xm.sys]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmx4xt.sys]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Vundo infection

Unread postby Cazper » January 30th, 2008, 7:30 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:29, on 2008-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Cazper.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 3814 bytes


ComboFix 08-01-23.2 - casper 2008-01-30 17:23:09.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1686 [GMT -6:00]
Running from: C:\Documents and Settings\casper\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\casper\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\99959A9596989D
C:\WINDOWS\system32\99959A9596989D\C7C3C8C3C4C6CB
.
---- Previous Run -------
.
C:\DOCUME~1\casper\APPLIC~1\SSTEM~1\cmd.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\casper\Application Data\SSTEM~1
C:\Documents and Settings\casper\Application Data\SSTEM~1\cmd .exe
C:\Documents and Settings\casper\Application Data\SSTEM~1\cmd.exe
C:\Documents and Settings\casper\Application Data\SSTEM~1\s?stem\
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7 .exe
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7.exe
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Register UltimateCleaner 2007.lnk
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Start UltimateCleaner 2007.lnk
C:\Documents and Settings\casper\Start Menu\Programs\UltimateCleaner 2007\Uninstall UltimateCleaner 2007.lnk
C:\info.exe
C:\PROGRA~1\COMMON~1\wffu\wffum .exe
C:\Program Files\Common Files\wffu
C:\Program Files\Common Files\wffu\wffua.lck
C:\Program Files\Common Files\wffu\wffud\class-barrel
C:\Program Files\Common Files\wffu\wffud\vocabulary
C:\Program Files\Common Files\wffu\wffud\wffuc.dll
C:\Program Files\Common Files\wffu\wfful.exe
C:\Program Files\Common Files\wffu\wfful.lck
C:\Program Files\Common Files\wffu\wffum .exe
C:\Program Files\Common Files\wffu\wffum.exe
C:\Program Files\Common Files\wffu\wffum.lck
C:\Program Files\Common Files\wffu\wffup.exe
C:\Program Files\ComPlus Applications\nixyheqix455101.dll
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB .EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\inetget2
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\outerinfo
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\sks~1
C:\Program Files\sks~1\??plorer.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words .exe
C:\Program Files\Words\Words.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\mrofinu72.exe.tmp
C:\WINDOWS\system32\135050f7 .exe
C:\WINDOWS\system32\135050f7.exe
C:\WINDOWS\system32\AEAAAFAAABADB2.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\mljgh.exe
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.exe
C:\WINDOWS\system32\npsxvblx.ini
C:\WINDOWS\system32\psc_mon .exe
C:\WINDOWS\system32\pxsqvcyw.ini
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX24.tmp
C:\WINDOWS\system32\RCX30.tmp
C:\WINDOWS\system32\RCX3E.tmp
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\wffu
C:\WINDOWS\wffu\wffu.dat
C:\WINDOWS\wffu\wu
C:\WINDOWS\Y2FzcGVy\
C:\WINDOWS\Y2FzcGVy\\asappsrv.dll
C:\WINDOWS\Y2FzcGVy\\sZIWw3pV.vbs

Code: Select all
 <pre>
C:\Documents and Settings\casper\Local Settings\Application Data\135050f7 .exe ---> QooBox
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB .EXE ---> QooBox
C:\Program Files\Dot1XCfg\Dot1XCfg .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe ---> QooBox
C:\Program Files\MSN Messenger\MsnMsgr .Exe ---> QooBox
C:\Program Files\Words\Words .exe ---> QooBox
C:\WINDOWS\system32\135050f7 .exe ---> QooBox
</pre> 

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


-------\LEGACY_MMX4XM
-------\LEGACY_MMX4XT
-------\mmx4xm
-------\mmx4xt






((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-25 07:15 . 2008-01-25 07:15 <DIR> d-------- C:\Program Files\Avira
2008-01-23 18:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-16 18:29 . 2008-01-16 18:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-14 18:14 . 2008-01-29 19:47 <DIR> d-------- C:\VundoFix Backups
2008-01-13 17:28 . 2008-01-14 17:07 357 --a------ C:\WINDOWS\wininit.ini
2008-01-13 12:48 . 2008-01-23 18:38 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-10 18:29 . 2008-01-10 18:29 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-08 18:33 . 2008-01-08 18:34 38 --a------ C:\WINDOWS\avisplitter.INI
2007-12-17 13:00 . 2007-12-17 13:12 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-17 13:00 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2007-12-17 13:00 . 2007-07-29 16:51 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-17 13:00 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-12-17 12:43 . 2007-12-11 16:34 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-12-17 12:43 . 2007-12-11 16:34 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-12-15 14:40 . 2007-12-11 16:34 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2007-12-15 14:40 . 2007-03-07 17:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-15 14:40 . 2007-03-07 17:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-14 09:30 . 2008-01-13 12:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-14 09:30 . 2007-12-14 09:30 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-11 22:00 . 2007-12-11 22:00 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-11 16:34 . 2007-12-11 16:34 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 16:34 . 2007-12-11 16:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 16:34 . 2007-12-11 16:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 16:33 . 2007-12-11 16:33 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 16:33 . 2007-12-11 16:33 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-12-11 16:33 . 2007-12-11 16:33 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-12-11 16:33 . 2007-12-11 16:33 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-12-11 16:33 . 2007-12-11 16:33 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-12-11 16:33 . 2007-12-11 16:33 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-12-11 16:33 . 2007-12-11 16:33 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-12-11 16:33 . 2007-12-11 16:33 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 16:33 . 2007-12-11 16:33 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-12-11 16:33 . 2007-12-11 16:33 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-12-11 16:32 . 2007-12-11 16:32 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-12-11 16:32 . 2007-12-11 16:32 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 15:32 . 2007-12-11 15:32 <DIR> d-------- C:\Program Files\Realtek AC97
2007-12-11 15:32 . 2006-12-08 15:20 10,528,768 -ra------ C:\WINDOWS\system32\RTLCPL.exe
2007-12-11 15:32 . 2007-04-16 15:28 577,536 -ra------ C:\WINDOWS\soun3365.rra
2007-12-11 15:32 . 2006-10-18 02:53 147,456 -ra------ C:\WINDOWS\system32\RtlCPAPI.dll
2007-12-11 15:32 . 2006-08-01 15:02 49,152 -ra------ C:\WINDOWS\system32\ChCfg.exe
2007-12-11 15:00 . 2007-12-11 15:00 <DIR> d-------- C:\drivers
2007-12-11 14:42 . 2007-12-11 14:42 <DIR> d-------- C:\Program Files\Activision
2007-12-11 10:41 . 2007-12-11 10:41 <DIR> d-------- C:\Program Files\Ventrilo
2007-12-11 10:41 . 2007-12-11 10:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-11 09:43 . 2007-12-11 09:43 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 23:21 --------- d-----w C:\Program Files\mozilla2
2008-01-25 13:08 --------- d-s---w C:\Program Files\Xfire
2008-01-24 00:38 --------- d-----w C:\Program Files\QuickTime
2008-01-24 00:38 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 00:38 --------- d-----w C:\Program Files\iTunes
2008-01-14 01:44 --------- d-----w C:\Program Files\Steam
2007-12-30 16:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-30 16:17 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-30 16:17 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-17 19:10 --------- d-----w C:\Program Files\DivX
2007-12-15 20:40 --------- d-----w C:\Program Files\Winamp
2007-12-11 20:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\NVUninst.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvumctl.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvugart.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvuenet.exe
2007-10-05 00:16 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-10-04 23:14 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-10-04 23:14 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-10-04 23:14 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-10-04 23:14 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-10-04 23:14 6,750,208 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-10-04 23:14 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-10-04 23:14 5,783,424 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-10-04 23:14 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-10-04 23:14 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-10-04 23:14 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-10-04 23:14 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-10-04 23:14 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-10-04 23:14 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-10-04 23:14 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-10-04 23:14 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-10-04 23:14 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-10-04 23:14 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-10-04 23:14 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-10-04 23:14 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-10-04 23:14 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-10-04 23:14 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-10-04 23:14 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-10-04 23:14 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-10-04 23:14 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-10-04 23:14 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-10-04 23:14 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-10-04 23:14 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-10-04 23:14 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-10-04 23:14 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
1998-08-24 18:09 10,000 ----a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_18.43.09.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 00:33:30 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-30 23:23:04 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 00:33:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-30 23:23:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 00:33:30 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-30 23:23:04 434,176 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 00:33:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-30 23:23:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 00:33:30 3,629,056 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-30 23:23:04 3,629,056 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-24 00:33:31 98,304 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-30 23:23:04 98,304 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2007-08-09 19:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2007-07-18 20:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-01-25 13:44:19 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 16:34:36 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [ ]
"Creative Launcher"="C:\Program Files\Creative\Launcher\CTLauncher.exe" [ ]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\SOUNDMAN.EXE]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-25 07:44 249896]

C:\Documents and Settings\casper\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-01-10 18:29:50 2872144]

S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 12:19]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{503eea5e-5574-11da-95eb-000fea32f1aa}]
\Shell\AutoRun\command - H:\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 17:26:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Cazper
Active Member
 
Posts: 13
Joined: January 16th, 2008, 8:41 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 306 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware