az10 Posted November 5, 2009 ID:153986 Share Posted November 5, 2009 I've acquired the Vundo and I ran Malwarebytes and it got rid of some and supposedly got rid of the others after a reboot. Unfortunately, later in the day, it keeps coming back. Also, even after the reboot I am still getting some symptoms from the virus. I run Malwarebytes but it doesn't detect anything until I run it again later on.Here are my log files.Malwarebytes' Anti-Malware 1.41Database version: 2775Windows 5.1.2600 Service Pack 211/5/2009 11:13:06 AMmbam-log-2009-11-05 (11-13-06).txtScan type: Quick ScanObjects scanned: 123612Time elapsed: 24 minute(s), 27 second(s)Memory Processes Infected: 0Memory Modules Infected: 1Registry Keys Infected: 1Registry Values Infected: 3Registry Data Items Infected: 2Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:c:\WINDOWS\system32\kalomawu.dll (Trojan.Vundo.H) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{86165841-8419-423a-ba7f-6e8ec73c7eaf} (Trojan.Vundo.H) -> Delete on reboot.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wihububit (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{86165841-8419-423a-ba7f-6e8ec73c7eaf} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dijulawof (Trojan.Vundo.H) -> Delete on reboot.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kalomawu.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kalomawu.dll -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\system32\kalomawu.dll (Trojan.Vundo.H) -> Delete on reboot. Link to post Share on other sites More sharing options...
Rosty Posted November 5, 2009 ID:154042 Share Posted November 5, 2009 Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPost the log from ComboFix when you've accomplished that. Link to post Share on other sites More sharing options...
az10 Posted November 5, 2009 Author ID:154064 Share Posted November 5, 2009 Here's my ComboFix log:ComboFix 09-11-05.01 - Owner 11/05/2009 14:34.1.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.498 [GMT -5:00]Running from: c:\documents and settings\Owner.Andy\Desktop\ComboFix.exe * Resident AV is active.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\recycler\S-1-5-21-647344410-2365357573-1185470651-500c:\windows\kb913800.exec:\windows\system32\danirizi.dllc:\windows\system32\kewomavo.dllc:\windows\system32\laninejo.dllc:\windows\system32\loyuwisa.dllc:\windows\system32\nsprs.dllc:\windows\system32\nuyuviju.dllc:\windows\system32\wokiwiba.dllD:\Autorun.inf.((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 ))))))))))))))))))))))))))))))).2009-11-03 19:37 . 2009-11-03 19:38 -------- d-----w- c:\documents and settings\Owner.Andy\Local Settings\Application Data\Temp2009-11-03 03:12 . 2009-11-03 03:12 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla2009-11-03 03:11 . 2009-11-03 03:11 128 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\fusioncache.dat2009-11-03 03:00 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-11-03 03:00 . 2009-11-03 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-11-03 03:00 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-11-02 23:50 . 2009-11-02 23:50 -------- d-----w- c:\windows\system32\wbem\Repository2009-11-01 16:15 . 2009-07-01 22:13 161816 ----a-w- c:\windows\RegGenieOnUninstall.exe2009-11-01 16:15 . 2009-11-02 21:06 -------- d-----w- c:\program files\RegGenie2009-10-27 16:18 . 2009-10-27 16:19 1407680 ----a-w- c:\documents and settings\Owner.Andy\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe2009-10-23 16:00 . 2009-10-23 16:29 -------- d-----w- c:\program files\rbryat2009-10-15 07:10 . 2009-10-15 07:10 -------- d-----w- C:\6b92a6c40859a0df2acabadb2009-10-14 17:27 . 2009-10-14 19:39 -------- d-----w- c:\documents and settings\Owner.Andy\Application Data\ICAClient2009-10-14 17:26 . 2009-10-14 17:26 -------- d-----w- c:\windows\system32\Resource2009-10-14 17:26 . 2009-10-14 17:26 -------- d-----w- c:\program files\Citrix2009-10-14 17:25 . 2009-10-14 17:25 -------- d-----w- c:\documents and settings\OWNER~1~AND\LOCALS~12009-10-14 17:25 . 2009-10-14 17:25 -------- d-----w- c:\documents and settings\OWNER~1~AND2009-10-13 04:38 . 2009-10-13 04:38 -------- d-----w- c:\documents and settings\Owner.Andy\Local Settings\Application Data\AIM.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-11-04 07:03 . 2006-10-12 03:23 -------- d-----w- c:\program files\McAfee2009-11-03 16:47 . 2007-05-07 21:15 -------- d-----w- c:\documents and settings\Owner.Andy\Application Data\U32009-11-03 03:11 . 2009-08-04 21:18 50376 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT2009-11-03 03:04 . 2006-12-21 23:27 -------- d-----w- c:\program files\DivX2009-11-02 22:11 . 2006-10-12 03:05 -------- d-----w- c:\program files\Google2009-11-02 21:06 . 2006-12-21 23:18 -------- d-----w- c:\documents and settings\Owner.Andy\Application Data\Azureus2009-11-01 17:48 . 2006-06-19 04:25 50376 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-10-27 16:19 . 2007-01-17 03:45 -------- d--h--w- c:\documents and settings\Owner.Andy\Application Data\Move Networks2009-10-27 16:19 . 2009-07-03 15:30 126970 ----a-w- c:\documents and settings\Owner.Andy\Application Data\Move Networks\uninstall.exe2009-10-27 16:19 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Owner.Andy\Application Data\Move Networks\plugins\npqmp071505000010.dll2009-10-25 21:42 . 2008-05-27 23:35 -------- d-----w- c:\program files\PokerStars2009-10-15 07:05 . 2006-10-12 03:14 -------- d-----w- c:\program files\Microsoft Works2009-09-28 23:34 . 2009-09-28 23:34 411368 ----a-w- c:\windows\system32\deploytk.dll2009-09-28 23:34 . 2006-10-12 03:08 -------- d-----w- c:\program files\Java2009-09-28 23:33 . 2009-09-28 23:33 152576 ----a-w- c:\documents and settings\Owner.Andy\Application Data\Sun\Java\jre1.6.0_16\lzma.dll2009-09-21 17:46 . 2009-09-21 17:46 -------- d-----w- c:\program files\TweetDeck2009-09-19 03:06 . 2009-09-19 03:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee2009-09-16 14:22 . 2007-02-07 02:35 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys2009-09-16 14:22 . 2007-02-07 02:35 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys2009-09-16 14:22 . 2007-02-07 02:35 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys2009-09-16 14:22 . 2007-02-07 02:35 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys2009-09-16 14:22 . 2007-02-07 02:35 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys2009-09-14 20:07 . 2006-10-12 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee2009-09-13 21:57 . 2008-10-04 20:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore2009-09-11 14:03 . 2006-06-17 09:23 136192 ----a-w- c:\windows\system32\msv1_0.dll2009-09-09 07:06 . 2009-03-13 20:21 -------- d-----w- c:\program files\Microsoft Silverlight2009-09-04 20:45 . 2006-06-17 09:23 58880 ----a-w- c:\windows\system32\msasn1.dll2009-08-29 07:36 . 2006-06-17 09:23 832512 ----a-w- c:\windows\system32\wininet.dll2009-08-29 07:36 . 2006-06-17 09:23 78336 ----a-w- c:\windows\system32\ieencode.dll2009-08-29 07:36 . 2006-06-17 09:23 17408 ------w- c:\windows\system32\corpol.dll2009-08-26 08:16 . 2006-06-17 09:24 247326 ----a-w- c:\windows\system32\strmdll.dll2009-08-04 21:24 . 2009-08-04 21:23 8050536 ----a-w- c:\program files\Firefox Setup 3.5.2.exe2009-06-03 15:25 . 2009-06-03 15:25 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Power2GoExpress"="NA" [X]"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 39408]"Google Update"="c:\documents and settings\Owner.Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-03 135664][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-06-03 30192]"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-12 98304]"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\bigz.exe.exe" [2009-09-10 1312080]"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-12-27 413696][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-10-11 2168360][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\AIM\\aim.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\SopCast\\adv\\SopAdver.exe"="c:\\Program Files\\SopCast\\SopCast.exe"="c:\\Program Files\\AIM6\\aim6.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\Program Files\\Azureus\\Azureus.exe"="c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="c:\\Program Files\\Java\\jre6\\bin\\java.exe"="c:\\Program Files\\Intel\\Wireless\\Bin\\ZCfgSvc.exe"="c:\\Program Files\\BigFix\\bigfix.exe"=R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/4/2008 3:14 PM 92296]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/8/2007 3:10 AM 24652]S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/11/2006 10:05 PM 30192]S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [6/15/2007 2:58 PM 39048]--- Other Services/Drivers In Memory ---*NewlyCreated* - MBR*Deregistered* - mbr.Contents of the 'Scheduled Tasks' folder2009-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1929080933-648326475-2723996179-1006Core.job- c:\documents and settings\Owner.Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-03 19:36]2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1929080933-648326475-2723996179-1006UA.job- c:\documents and settings\Owner.Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-03 19:36]2006-11-05 c:\windows\Tasks\ISP signup reminder 1.job- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 19:00]2009-10-15 c:\windows\Tasks\McDefragTask.job- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-07 16:22]2009-11-01 c:\windows\Tasks\McQcTask.job- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-07 16:22]..------- Supplementary Scan -------.uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6956FF - ProfilePath - c:\documents and settings\Owner.Andy\Application Data\Mozilla\Firefox\Profiles\ubrju9g1.default\FF - prefs.js: browser.startup.homepage - hxxp://fantasysports.yahoo.com/FF - prefs.js: network.proxy.type - 4FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dllFF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dllFF - plugin: c:\documents and settings\Owner.Andy\Application Data\Move Networks\plugins\npqmp071503000010.dllFF - plugin: c:\documents and settings\Owner.Andy\Application Data\Move Networks\plugins\npqmp071505000010.dllFF - plugin: c:\documents and settings\Owner.Andy\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);.- - - - ORPHANS REMOVED - - - -BHO-{b65be8f3-2e8c-42cd-bb6b-5948673348cc} - vonabuka.dllHKCU-Run-Aim6 - (no file)HKLM-Run-RegGenie Scheduler - c:\program files\RegGenie\RegGenieScheduler.exeHKLM-Run-dudebezoye - wokiwiba.dllSharedTaskScheduler-{43a80c43-0b98-40d8-8dcf-1125629a7f16} - c:\windows\system32\jiyigafa.dllSSODL-lukugusim-{43a80c43-0b98-40d8-8dcf-1125629a7f16} - c:\windows\system32\jiyigafa.dll**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-11-05 14:53Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(3464)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dll.------------------------ Other Running Processes ------------------------.c:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\windows\eHome\ehRecvr.exec:\windows\eHome\ehSched.exec:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exec:\program files\Java\jre6\bin\jqs.exec:\progra~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exec:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exec:\progra~1\McAfee\VIRUSS~1\mcshield.exec:\program files\McAfee\MPF\MPFSrv.exec:\program files\McAfee\MSK\MskSrver.exec:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYSc:\program files\Intel\Wireless\Bin\RegSrvc.exec:\windows\ehome\mcrdsvc.exec:\progra~1\mcafee.com\agent\mcagent.exec:\windows\system32\dllhost.exec:\windows\eHome\ehmsas.exec:\windows\system32\igfxsrvc.exec:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exec:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exec:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe.**************************************************************************.Completion time: 2009-11-05 14:55 - machine was rebootedComboFix-quarantined-files.txt 2009-11-05 19:54Pre-Run: 130,743,918,592 bytes freePost-Run: 130,899,738,624 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect- - End Of File - - CFE64398C2C5C4621E6FBDE0FC705C73 Link to post Share on other sites More sharing options...
az10 Posted November 6, 2009 Author ID:154202 Share Posted November 6, 2009 Anyone? Link to post Share on other sites More sharing options...
Rosty Posted November 6, 2009 ID:154324 Share Posted November 6, 2009 Anyone?Hi,we have a day job and a personal live too, so pleace be patient!!May I see a new Hijackthis log please. And let me know hiow things are running know. Link to post Share on other sites More sharing options...
Recommended Posts