Jump to content

Vundo Infection


deb46

Recommended Posts

I have a Vundo infection - I already ran the combofix (computer was almost unusable before running this) & have the following log. I greatly appreciate your assistance.

ComboFix 09-09-23.02 - Mom 09/23/2009 19:12.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.409 [GMT -5:00]

Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Mom\Application Data\inst.exe

c:\windows\Installer\126ebe.msi

c:\windows\Installer\1927106.msp

c:\windows\Installer\1aef68.msi

c:\windows\Installer\1d953f4.msi

c:\windows\Installer\31500a.msi

c:\windows\Installer\315010.msi

c:\windows\Installer\315016.msi

c:\windows\Installer\a49cbbb.msp

c:\windows\Installer\fc69ac.msi

c:\windows\Installer\WinRMSrv.msi

c:\windows\patch.exe

c:\windows\qrt2.reg

c:\windows\system32\drivers\fad.sys

c:\windows\system32\fogebota.dll

c:\windows\system32\hesudobu.dll

c:\windows\system32\kimuremo.dll

c:\windows\system32\kosumivo.dll

c:\windows\system32\lobuzosi.dll

c:\windows\system32\mawijeho.dll

c:\windows\system32\rayedutu.dll

c:\windows\system32\rayohupo.dll

c:\windows\system32\tejekuru.dll

c:\windows\system32\tmp.reg

c:\windows\system32\zoroviro.dll

c:\windows\winhelp.ini

c:\windows\wpd99.drv

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://82.98.231.96

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))

.

2009-09-23 20:17 . 2009-09-23 20:17 444 ----a-w- c:\windows\system32\d3d8caps.dat

2009-09-22 21:14 . 2009-09-22 21:14 -------- d-----w- C:\VundoFix Backups

2009-09-22 02:24 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2009-09-22 02:24 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys

2009-09-21 21:13 . 2009-09-21 21:13 -------- d-----w- c:\documents and settings\Mom\Application Data\Office Genuine Advantage

2009-09-20 15:21 . 2009-09-20 15:21 -------- d-----w- c:\program files\Trend Micro

2009-09-20 13:14 . 2009-09-20 13:14 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-19 15:17 . 2009-09-19 15:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-19 15:17 . 2009-09-19 15:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-09-09 22:53 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-22 22:03 . 2005-05-16 22:37 -------- d-----w- c:\program files\Google

2009-09-19 19:53 . 2008-10-02 02:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2009-09-11 13:30 . 2009-01-30 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-11 01:47 . 2008-10-08 23:46 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 19:54 . 2009-01-30 01:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 19:53 . 2009-01-30 01:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll

2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll

2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe

2009-07-17 19:01 . 2004-03-19 22:33 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2004-02-06 23:05 915456 ----a-w- c:\windows\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]

"IPInSightMonitor 03"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]

"IPInSightLAN 03"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-11 180269]

"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 45056]

"Ulead Photo Express Calendar Checker"="c:\program files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-13 69632]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]

"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]

"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]

"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Disk Monitor"="c:\program files\Lexar Media Inc\USB Card Reader Driver v2.2(M)\Disk_Monitor.exe" [2004-06-29 491008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2007-1-11 1078]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"9420:TCP"= 9420:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

"1064:TCP"= 1064:TCP:Akamai NetSession Interface

"1077:TCP"= 1077:TCP:Akamai NetSession Interface

"1072:TCP"= 1072:TCP:Akamai NetSession Interface

"1054:TCP"= 1054:TCP:Akamai NetSession Interface

"2545:TCP"= 2545:TCP:Akamai NetSession Interface

"1080:TCP"= 1080:TCP:Akamai NetSession Interface

"1058:TCP"= 1058:TCP:Akamai NetSession Interface

"1071:TCP"= 1071:TCP:Akamai NetSession Interface

"1076:TCP"= 1076:TCP:Akamai NetSession Interface

"1677:TCP"= 1677:TCP:Akamai NetSession Interface

"1075:TCP"= 1075:TCP:Akamai NetSession Interface

"1073:TCP"= 1073:TCP:Akamai NetSession Interface

"3029:TCP"= 3029:TCP:Akamai NetSession Interface

"4207:TCP"= 4207:TCP:Akamai NetSession Interface

"1839:TCP"= 1839:TCP:Akamai NetSession Interface

"1065:TCP"= 1065:TCP:Akamai NetSession Interface

"1055:TCP"= 1055:TCP:Akamai NetSession Interface

"1096:TCP"= 1096:TCP:Akamai NetSession Interface

"1086:TCP"= 1086:TCP:Akamai NetSession Interface

"1063:TCP"= 1063:TCP:Akamai NetSession Interface

"1068:TCP"= 1068:TCP:Akamai NetSession Interface

"1074:TCP"= 1074:TCP:Akamai NetSession Interface

"1061:TCP"= 1061:TCP:Akamai NetSession Interface

"1282:TCP"= 1282:TCP:Akamai NetSession Interface

"1066:TCP"= 1066:TCP:Akamai NetSession Interface

"1439:TCP"= 1439:TCP:Akamai NetSession Interface

"1062:TCP"= 1062:TCP:Akamai NetSession Interface

"1056:TCP"= 1056:TCP:Akamai NetSession Interface

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/29/2009 8:15 PM 269648]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/12/2009 7:12 PM 210216]

R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [1/29/2009 8:15 PM 19160]

S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [3/19/2004 5:43 PM 14336]

S3 SAUSBHW;%SAUSBHW.SvcDesc%;c:\windows\SYSTEM32\DRIVERS\SAUSB.SYS [12/28/2004 7:38 PM 171600]

S3 SNDP202;Dual Mode Camera (8008 VGA);c:\windows\SYSTEM32\DRIVERS\sndp202.sys [3/18/2008 5:14 PM 228096]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Mom.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-01-30 19:53]

2009-09-11 c:\windows\Tasks\Malwarebytes' Scheduled Update for Mom.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-01-30 19:53]

2009-06-13 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-13 15:53]

2009-08-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-13 15:53]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371420.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{31da2ab1-3d85-4a5d-8756-451161cf283e} - zoroviro.dll

HKCU-Run-Sonic RecordNow! - c:\program files\Messenger\msmsgs.exe

HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe

HKLM-Run-duyuvumapo - kimuremo.dll

AddRemove-HijackThis - c:\documents and settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\SUFPLXHW\HijackThis.exe

AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe

AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

AddRemove-ToneGen - c:\program files\NCH Swift Sound\ToneGen\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-23 19:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,a7,0a,b0,45,25,c0,49,be,5b,f1,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,15,a7,0a,b0,45,25,c0,49,be,5b,f1,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3996)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\program files\Iomega\DriveIcons\IMGHOOK.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SYSTEM32\LEXBCES.EXE

c:\windows\SYSTEM32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\SYSTEM32\CTSVCCDA.EXE

c:\progra~1\Iomega\System32\AppServices.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\Common Files\McAfee\MNA\McNASvc.exe

c:\program files\Common Files\McAfee\McProxy\McProxy.exe

c:\program files\McAfee\VirusScan\Mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MPF\MpfSrv.exe

c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

c:\windows\SYSTEM32\RioMSC.exe

c:\program files\Iomega\AutoDisk\ADService.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\SYSTEM32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-24 19:38 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-24 00:37

Pre-Run: 18,647,695,360 bytes free

Post-Run: 18,499,665,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6

281 --- E O F --- 2009-09-10 02:52

Link to post
Share on other sites

  • Root Admin

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.