lwharton Posted June 15, 2010 ID:267972 Share Posted June 15, 2010 Malwarebytes continues to find and try to delete 7 infected files but the infected files continue to reappear. It says the files are deleted but they reappear every time I run a scan. I am getting a lot of redirects on my Google searches and assume these infected files are causing it? Below is the mbam log identifying the infected files.Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4199Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187026/15/2010 12:34:05 PMmbam-log-2010-06-15 (12-34-05).txtScan type: Full scan (C:\|)Objects scanned: 232290Time elapsed: 40 minute(s), 15 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 7Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khigfddrv (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcyyvwsys (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddaxxvdrv (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvvstqsys (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hggdaxdrv (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvvstqsys (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hggdaxdrv (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Blade81 Posted June 17, 2010 ID:269042 Share Posted June 17, 2010 Hi,Download DDS and save it to your desktop from here or here or here.Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt[*]Save both reports to your desktop. Post them back to your topic.Download GMER here by clicking download exe -button and then saving it your desktop:Double-click .exe that you downloadedClick rootkit-tab, uncheck files option and then click scan.Don't check Show All box while scanning in progress!When scanning is ready, click Copy.This copies log to clipboardPost log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Link to post Share on other sites More sharing options...
lwharton Posted June 22, 2010 Author ID:272177 Share Posted June 22, 2010 Hi,Download DDS and save it to your desktop from here or here or here.Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt[*]Save both reports to your desktop. Post them back to your topic.Download GMER here by clicking download exe -button and then saving it your desktop:Double-click .exe that you downloadedClick rootkit-tab, uncheck files option and then click scan.Don't check Show All box while scanning in progress!When scanning is ready, click Copy.This copies log to clipboardPost log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.I followed the instructions above and am posting the three files.DDS.txt - DDS (Ver_10-03-17.01) - NTFSx86 Run by larry wharton at 11:17:40.25 on Mon 06/21/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3197.2317 [GMT -4:00]AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Desktop Search\WindowsSearch.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\mshta.exeC:\Program Files\Java\jre6\bin\jucheck.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\mshta.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Malwarebytes' Anti-Malware\testmb.exeC:\WINDOWS\system32\SearchProtocolHost.exeC:\Documents and Settings\larry wharton\Desktop\dds.com============== Pseudo HJT Report ===============uInternet Settings,ProxyOverride = *.localmWinlogon: Userinit=c:\windows\system32\Userinit.exeBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.7.0.12\IPSBHO.DLLBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Google Update] "c:\documents and settings\larry wharton\local settings\application data\google\update\GoogleUpdate.exe" /cuRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exeuRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exeuRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [qonnlmdrv] rundll32.exe "mlijhf.dll",smRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1mRun: [Recguard] c:\windows\sminst\RECGUARD.EXEmRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exemRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exemRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [mlkiifsys] rundll32.exe "jkhhhi.dll",DllRegisterServermRun: [rqpnmjdrv] rundll32.exe "mlijhf.dll",sdRun: [apmanager.exe] c:\documents and settings\networkservice\application data\apmanager\apmanager.exe silentdRun: [yabxxwsys] rundll32.exe "jkhhhi.dll",DllRegisterServerdRun: [iihigedrv] rundll32.exe "mlijhf.dll",sStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exeIE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTMIE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTMIE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTMIE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTMIE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTMIE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTMIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLTrusted Zone: inmotionhosting.com\supportTrusted Zone: intuit.com\ttlcDPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260203297265DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dllLSA: Authentication Packages = msv1_0 jkhhhi.dll============= SERVICES / DRIVERS ===============R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1107000.00c\symds.sys [2010-5-20 328752]R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1107000.00c\symefa.sys [2010-5-20 173104]R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20100522.001\BHDrvx86.sys [2010-5-22 691248]R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1107000.00c\cchpx86.sys [2010-5-20 501888]R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1107000.00c\ironx86.sys [2010-5-20 116784]R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.7.0.12\ccsvchst.exe [2010-5-20 126392]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20100617.005\IDSXpx86.sys [2010-6-19 331640]R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100620.006\NAVENG.SYS [2010-6-21 85552]R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20100620.006\NAVEX15.SYS [2010-6-21 1347504]R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-10-22 238080]S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-23 79816]S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-23 35272]S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-23 34248]S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-23 40552]=============== Created Last 30 ================2010-06-11 20:19:44 0 ----a-w- c:\documents and settings\larry wharton\defogger_reenable2010-06-11 16:41:54 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll2010-06-11 16:00:22 131856 ----a-w- c:\windows\system32\MSADODC.ocx2010-06-11 16:00:21 89088 ----a-w- c:\windows\system32\ProgressBar4.ocx2010-06-11 16:00:21 512688 ----a-w- c:\windows\system32\XceedCry.dll2010-06-11 16:00:21 423784 ----a-w- c:\windows\system32\XceedBkp.dll2010-06-11 16:00:21 389120 ----a-w- c:\windows\system32\ACTSKN43.OCX2010-06-11 16:00:21 28672 ----a-w- c:\windows\system32\systray.ocx2010-06-11 16:00:21 265753 ----a-w- c:\windows\system32\AS-Exp2.ocx2010-06-11 16:00:21 188416 ----a-w- c:\windows\system32\actsplash.ocx2010-06-11 16:00:21 1435272 ----a-w- c:\windows\system32\Flash.ocx2010-06-11 16:00:21 1140472 ----a-w- c:\windows\system32\IGUltraGrid20.ocx2010-06-11 16:00:21 11012 ----a-w- c:\windows\system32\threadapi.tlb2010-06-11 16:00:21 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL2010-06-11 16:00:20 0 d-----w- c:\program files\MalwareSweeper.com2010-06-11 15:48:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-06-11 15:48:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-06-07 02:41:15 86528 ---ha-w- c:\windows\system32\ursqop.dll2010-06-07 02:41:14 86528 ---ha-w- c:\windows\system32\jkhhhi.dll2010-06-06 23:33:31 86528 ---ha-w- c:\windows\system32\hgfcbx.dll2010-06-06 23:24:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-06-06 20:56:58 86528 ---ha-w- c:\windows\system32\ursppp.dll2010-06-06 20:03:22 0 d-----w- c:\program files\Spybot - Search & Destroy22010-06-06 01:16:44 93696 ---ha-w- c:\windows\system32\mlijhf.dll2010-06-06 00:44:11 140288 ----a-w- c:\windows\system32\pcre3.dll2010-06-01 14:36:01 542 ----a-w- c:\windows\system32\405.js==================== Find3M ====================2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll2010-05-06 04:01:43 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe2010-01-05 21:13:07 32768 --sha-w- c:\windows\system32\config\systemprofile\application data\microsoft\internet explorer\userdata\index.dat2008-10-23 01:22:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat2009-02-23 21:15:51 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022320090224\index.dat2009-02-28 02:56:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022720090228\index.dat============= FINISH: 11:18:07.03 ===============Attach.txt - UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH ITDDS (Ver_10-03-17.01)Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume1Install Date: 1/13/2010 2:15:37 PMSystem Uptime: 6/21/2010 9:30:20 AM (2 hours ago)Motherboard: ASUSTeK Computer INC. | | P5N73-AMProcessor: Intel Pentium III Xeon processor | Socket 775 | 2500/333mhz==== Disk Partitions =========================C: is FIXED (NTFS) - 696 GiB total, 632.03 GiB free.D: is CDROM ()E: is RemovableF: is RemovableG: is RemovableH: is Removable==== Disabled Device Manager Items ================= System Restore Points ===================RP76: 3/22/2010 1:51:10 PM - System CheckpointRP77: 3/23/2010 4:17:06 PM - System CheckpointRP78: 3/24/2010 5:05:03 PM - System CheckpointRP79: 3/25/2010 5:48:57 PM - System CheckpointRP80: 3/26/2010 6:20:49 PM - System CheckpointRP81: 3/27/2010 6:26:51 PM - System CheckpointRP82: 3/29/2010 9:41:29 AM - System CheckpointRP83: 3/31/2010 11:30:43 AM - System CheckpointRP84: 3/31/2010 2:59:59 PM - Installed Windows Media Player 10RP85: 3/31/2010 3:00:55 PM - Software Distribution Service 3.0RP86: 4/1/2010 3:08:04 PM - System CheckpointRP87: 4/2/2010 3:00:14 AM - Software Distribution Service 3.0RP88: 4/3/2010 3:06:59 AM - System CheckpointRP89: 4/4/2010 4:06:59 AM - System CheckpointRP90: 4/5/2010 5:06:59 AM - System CheckpointRP91: 4/6/2010 5:00:14 PM - System CheckpointRP92: 4/7/2010 5:46:38 PM - System CheckpointRP93: 4/8/2010 6:20:56 PM - System CheckpointRP94: 4/9/2010 6:27:07 PM - System CheckpointRP95: 4/10/2010 6:28:16 PM - System CheckpointRP96: 4/11/2010 7:27:07 PM - System CheckpointRP97: 4/12/2010 8:27:07 PM - System CheckpointRP98: 4/13/2010 10:57:40 AM - Installed TurboTax 2009 wctiperRP99: 4/14/2010 11:46:05 AM - System CheckpointRP100: 4/14/2010 9:38:17 PM - Software Distribution Service 3.0RP101: 4/15/2010 10:14:38 PM - System CheckpointRP102: 4/17/2010 4:52:36 PM - System CheckpointRP103: 4/18/2010 5:22:15 PM - System CheckpointRP104: 4/19/2010 5:40:21 PM - System CheckpointRP105: 4/20/2010 6:13:06 PM - System CheckpointRP106: 4/21/2010 6:22:54 PM - System CheckpointRP107: 4/22/2010 6:23:02 PM - System CheckpointRP108: 4/23/2010 7:23:02 PM - System CheckpointRP109: 4/24/2010 8:23:03 PM - System CheckpointRP110: 4/25/2010 9:19:06 PM - System CheckpointRP111: 4/26/2010 10:13:20 PM - System CheckpointRP112: 4/27/2010 11:13:20 PM - System CheckpointRP113: 4/29/2010 12:13:20 AM - System CheckpointRP114: 4/30/2010 1:13:20 AM - System CheckpointRP115: 5/1/2010 2:13:20 AM - System CheckpointRP116: 5/2/2010 3:13:20 AM - System CheckpointRP117: 5/3/2010 4:13:20 AM - System CheckpointRP118: 5/4/2010 4:19:24 AM - System CheckpointRP119: 5/5/2010 5:19:23 AM - System CheckpointRP120: 5/6/2010 1:22:32 PM - System CheckpointRP121: 5/8/2010 11:28:33 AM - System CheckpointRP122: 5/9/2010 12:00:38 PM - System CheckpointRP123: 5/10/2010 1:57:25 PM - System CheckpointRP124: 5/11/2010 3:30:50 PM - System CheckpointRP125: 5/12/2010 3:00:15 AM - Software Distribution Service 3.0RP126: 5/13/2010 4:38:23 PM - System CheckpointRP127: 5/14/2010 4:41:14 PM - System CheckpointRP128: 5/15/2010 5:40:07 PM - System CheckpointRP129: 5/16/2010 6:11:39 PM - System CheckpointRP130: 5/18/2010 5:54:54 PM - System CheckpointRP131: 5/20/2010 1:23:59 PM - System CheckpointRP132: 5/21/2010 1:48:10 PM - System CheckpointRP133: 5/22/2010 9:58:20 PM - System CheckpointRP134: 5/23/2010 10:33:56 PM - System CheckpointRP135: 5/24/2010 11:19:08 PM - System CheckpointRP136: 5/26/2010 12:50:58 PM - System CheckpointRP137: 5/26/2010 6:01:22 PM - Software Distribution Service 3.0RP138: 5/27/2010 6:25:19 PM - System CheckpointRP139: 5/29/2010 1:53:40 PM - System CheckpointRP140: 5/30/2010 2:48:46 PM - System CheckpointRP141: 6/1/2010 12:29:04 PM - System CheckpointRP142: 6/2/2010 1:33:33 PM - System CheckpointRP143: 6/3/2010 3:29:58 PM - System CheckpointRP144: 6/4/2010 3:30:19 PM - System CheckpointRP145: 6/5/2010 4:22:20 PM - System CheckpointRP146: 6/6/2010 5:08:51 PM - System CheckpointRP147: 6/7/2010 5:11:03 PM - System CheckpointRP148: 6/7/2010 9:36:03 PM - Software Distribution Service 3.0RP149: 6/8/2010 10:10:57 PM - System CheckpointRP150: 6/10/2010 7:08:37 AM - System CheckpointRP151: 6/11/2010 7:37:46 AM - System CheckpointRP152: 6/11/2010 2:06:10 PM - Software Distribution Service 3.0RP153: 6/12/2010 2:46:03 PM - System CheckpointRP154: 6/13/2010 3:31:45 PM - System CheckpointRP155: 6/14/2010 10:46:28 PM - System CheckpointRP156: 6/16/2010 11:11:39 AM - System CheckpointRP157: 6/17/2010 12:06:09 PM - System CheckpointRP158: 6/19/2010 10:43:03 AM - System Checkpoint==== Installed Programs ======================Adobe Flash Player 10 ActiveXAdobe Flash Player 10 PluginAdobe Reader 7.0.8AnswerWorks 5.0 English RuntimeApple Application SupportApple Mobile Device SupportApple Software UpdateBonjourCoupon Printer for WindowsGoogle ChromeHotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows XP (KB952287)Hotfix for Windows XP (KB954550-v5)Hotfix for Windows XP (KB961118)Hotfix for Windows XP (KB976098-v2)Hotfix for Windows XP (KB979306)Hotfix for Windows XP (KB981793)ieSpelliTunesJava 6 Update 17LightScribe 1.4.44.1Malwarebytes' Anti-MalwareMicrosoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5 SP1Microsoft Compression Client Pack 1.0 for Windows XPMicrosoft Office 2007 Service Pack 2 (SP2)Microsoft Office Excel MUI (English) 2007Microsoft Office Home and Student 2007Microsoft Office OneNote MUI (English) 2007Microsoft Office PowerPoint MUI (English) 2007Microsoft Office Proof (English) 2007Microsoft Office Proof (French) 2007Microsoft Office Proof (Spanish) 2007Microsoft Office Proofing (English) 2007Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)Microsoft Office Shared MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Word MUI (English) 2007Microsoft Software Update for Web Folders (English) 12Microsoft User-Mode Driver Framework Feature Pack 1.0Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMobileMe Control PanelMSNNero SuiteNorton AntiVirusNVIDIA DriversOGA Notifier 2.0.0048.0PlatformPowerDVDQuickTimeSafariSecurity Update for 2007 Microsoft Office System (KB969559)Security Update for 2007 Microsoft Office System (KB976321)Security Update for 2007 Microsoft Office System (KB982312)Security Update for 2007 Microsoft Office System (KB982331)Security Update for Microsoft Office Excel 2007 (KB982308)Security Update for Microsoft Office InfoPath 2007 (KB979441)Security Update for Microsoft Office PowerPoint 2007 (KB982158)Security Update for Microsoft Office system 2007 (972581)Security Update for Microsoft Office system 2007 (KB969613)Security Update for Microsoft Office system 2007 (KB974234)Security Update for Microsoft Office Visio Viewer 2007 (KB973709)Security Update for Microsoft Office Word 2007 (KB982135)Security Update for Windows Internet Explorer 7 (KB961260)Security Update for Windows Internet Explorer 7 (KB974455)Security Update for Windows Internet Explorer 8 (KB971961)Security Update for Windows Internet Explorer 8 (KB976325)Security Update for Windows Internet Explorer 8 (KB978207)Security Update for Windows Internet Explorer 8 (KB981332)Security Update for Windows Internet Explorer 8 (KB982381)Security Update for Windows Media Player (KB952069)Security Update for Windows Media Player (KB954155)Security Update for Windows Media Player (KB968816)Security Update for Windows Media Player (KB973540)Security Update for Windows Media Player (KB978695)Security Update for Windows Media Player 10 (KB936782)Security Update for Windows Media Player 11 (KB954154)Security Update for Windows Search 4 - KB963093Security Update for Windows XP (KB923561)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB950762)Security Update for Windows XP (KB950974)Security Update for Windows XP (KB951066)Security Update for Windows XP (KB951376-v2)Security Update for Windows XP (KB951748)Security Update for Windows XP (KB952004)Security Update for Windows XP (KB952954)Security Update for Windows XP (KB954459)Security Update for Windows XP (KB955069)Security Update for Windows XP (KB956572)Security Update for Windows XP (KB956744)Security Update for Windows XP (KB956802)Security Update for Windows XP (KB956803)Security Update for Windows XP (KB956844)Security Update for Windows XP (KB957097)Security Update for Windows XP (KB958644)Security Update for Windows XP (KB958687)Security Update for Windows XP (KB958869)Security Update for Windows XP (KB959426)Security Update for Windows XP (KB960225)Security Update for Windows XP (KB960803)Security Update for Windows XP (KB960859)Security Update for Windows XP (KB961371-v2)Security Update for Windows XP (KB961501)Security Update for Windows XP (KB969059)Security Update for Windows XP (KB969947)Security Update for Windows XP (KB970238)Security Update for Windows XP (KB970430)Security Update for Windows XP (KB971468)Security Update for Windows XP (KB971486)Security Update for Windows XP (KB971557)Security Update for Windows XP (KB971633)Security Update for Windows XP (KB971657)Security Update for Windows XP (KB971961)Security Update for Windows XP (KB972270)Security Update for Windows XP (KB973354)Security Update for Windows XP (KB973507)Security Update for Windows XP (KB973869)Security Update for Windows XP (KB973904)Security Update for Windows XP (KB974112)Security Update for Windows XP (KB974318)Security Update for Windows XP (KB974392)Security Update for Windows XP (KB974571)Security Update for Windows XP (KB975025)Security Update for Windows XP (KB975467)Security Update for Windows XP (KB975560)Security Update for Windows XP (KB975561)Security Update for Windows XP (KB975562)Security Update for Windows XP (KB975713)Security Update for Windows XP (KB976325)Security Update for Windows XP (KB977165)Security Update for Windows XP (KB977816)Security Update for Windows XP (KB977914)Security Update for Windows XP (KB978037)Security Update for Windows XP (KB978251)Security Update for Windows XP (KB978262)Security Update for Windows XP (KB978338)Security Update for Windows XP (KB978542)Security Update for Windows XP (KB978601)Security Update for Windows XP (KB978706)Security Update for Windows XP (KB979309)Security Update for Windows XP (KB979482)Security Update for Windows XP (KB979559)Security Update for Windows XP (KB979683)Security Update for Windows XP (KB980195)Security Update for Windows XP (KB980218)Security Update for Windows XP (KB980232)Spybot - Search & DestroyStart and Run a Coffee BarTurboTax 2008TurboTax 2008 WinPerFedFormsetTurboTax 2008 WinPerProgramHelpTurboTax 2008 WinPerReleaseEngineTurboTax 2008 WinPerTaxSupportTurboTax 2008 WinPerUserEducationTurboTax 2008 wohiperTurboTax 2008 wrapperTurboTax 2009TurboTax 2009 wctiperTurboTax 2009 WinPerFedFormsetTurboTax 2009 WinPerReleaseEngineTurboTax 2009 WinPerTaxSupportTurboTax 2009 wohiperTurboTax 2009 wrapperUpdate for 2007 Microsoft Office System (KB967642)Update for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Microsoft Office OneNote 2007 (KB980729)Update for Windows Internet Explorer 8 (KB975364)Update for Windows Internet Explorer 8 (KB976662)Update for Windows Internet Explorer 8 (KB980182)Update for Windows XP (KB951978)Update for Windows XP (KB955759)Update for Windows XP (KB967715)Update for Windows XP (KB968389)Update for Windows XP (KB971737)Update for Windows XP (KB973687)Update for Windows XP (KB973815)VIA Platform Device ManagerWebFldrs XPWindows Genuine Advantage Notifications (KB905474)Windows Internet Explorer 8Windows Live OneCare safety scannerWindows Media Format 11 runtimeWindows Media Player 10==== End Of File ===========================And finally,GMERlog - GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-06-21 22:10:36Windows 5.1.2600 Service Pack 3Running: gmer.exe; Driver: C:\DOCUME~1\LARRYW~1\LOCALS~1\Temp\ugddqpog.sys---- System - GMER 1.0.15 ----SSDT 89A196D0 ZwAlertResumeThreadSSDT 89A1A6D0 ZwAlertThreadSSDT 88AD3900 ZwAllocateVirtualMemorySSDT 89A116D0 ZwAssignProcessToJobObjectSSDT 8A43F888 ZwConnectPortSSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB59F9210]SSDT 88AC7E80 ZwCreateMutantSSDT 88AC2228 ZwCreateSymbolicLinkObjectSSDT 898076F0 ZwCreateThreadSSDT 89A126D0 ZwDebugActiveProcessSSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB59F9490]SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB59F99F0]SSDT 88AD3B98 ZwDuplicateObjectSSDT 88AD3060 ZwFreeVirtualMemorySSDT 89A176D0 ZwImpersonateAnonymousTokenSSDT 89A186D0 ZwImpersonateThreadSSDT 89E686D0 ZwLoadDriverSSDT 88AD2EF0 ZwMapViewOfSectionSSDT 89A166D0 ZwOpenEventSSDT 88AD3E78 ZwOpenProcessSSDT 89A206D0 ZwOpenProcessTokenSSDT 89A146D0 ZwOpenSectionSSDT 88AD3CE8 ZwOpenThreadSSDT 88AC28F8 ZwProtectVirtualMemorySSDT 89A1B6D0 ZwResumeThreadSSDT 89A1E6D0 ZwSetContextThreadSSDT 88AD2C18 ZwSetInformationProcessSSDT 89A136D0 ZwSetSystemInformationSSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB59F9C40]SSDT 89A156D0 ZwSuspendProcessSSDT 89A1C6D0 ZwSuspendThreadSSDT 89A216D0 ZwTerminateProcessSSDT 89A1D6D0 ZwTerminateThreadSSDT 89A1F6D0 ZwUnmapViewOfSectionSSDT 88AD34F0 ZwWriteVirtualMemory---- Kernel code sections - GMER 1.0.15 ----.text ntkrnlpa.exe!ZwCallbackReturn + 2DD0 8050466C 4 Bytes CALL A4D8F3AD ? SYMDS.SYS The system cannot find the file specified. !? SYMEFA.SYS The system cannot find the file specified. !.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8462360, 0x37399D, 0xE8000020]init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB5C82280]---- User code sections - GMER 1.0.15 ----.text C:\WINDOWS\system32\SearchIndexer.exe[1596] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)---- Devices - GMER 1.0.15 ----AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)Device B2A0CD20AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)---- EOF - GMER 1.0.15 ----Is this enough information to help get rid of Trojan.Vundo ?Why does Malwarbytes think the infected files are deleted when they not really deleted.Thanks,lwharton Link to post Share on other sites More sharing options...
Blade81 Posted June 22, 2010 ID:272203 Share Posted June 22, 2010 Hi,Please use -button while replying to make sure previous post isn't quoted.Why does Malwarbytes think the infected files are deleted when they not really deleted.Vundo is a sticky infection that won't die that easily. It doesn't need more than one part of it to survive to spread the infection back.Please visit this webpage for download links, and instructions for running ComboFix tool:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully first.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, linkRemember to re-enable them afterwards.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system:C:\ComboFix.txtNew dds log.A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 8, 2010 Root Admin ID:281094 Share Posted July 8, 2010 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts