broughtup Posted December 23, 2008 ID:41617 Share Posted December 23, 2008 Been battling Vundo since the 20th. Any help is appreciated!----------------------------------------------------------------------------Malwarebytes' Anti-Malware 1.31Database version: 1533Windows 5.1.2600 Service Pack 312/22/2008 7:43:41 PMmbam-log-2008-12-22 (19-43-41).txtScan type: Quick ScanObjects scanned: 61686Time elapsed: 5 minute(s), 34 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 2Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\urqrQgEX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.---------------------------------------------------------------------------------------------------------------;***********************************************************************************************************************************************************************************ANALYSIS: 2008-12-22 20:55:12PROTECTIONS: 1MALWARE: 11SUSPECTS: 6;***********************************************************************************************************************************************************************************PROTECTIONSDescription Version Active Updated;===================================================================================================================================================================================AVG Anti-Virus Free 8.0 Yes Yes;===================================================================================================================================================================================MALWAREId Description Type Active Severity Disinfectable Disinfected Location;===================================================================================================================================================================================00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms track system00029434 spyware/virtumonde Spyware No 1 Yes No hkey_local_machine\software\microsoft\ms juan00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Glenda\Cookies\glenda@doubleclick[1].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Glenda\Cookies\glenda@atdmt[2].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Clee\Cookies\clee@atdmt[2].txt00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\xu9xhmbb.default\cookies.txt[.atdmt.com/]00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Glenda\Cookies\glenda@mediaplex[2].txt00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Glenda\Cookies\glenda@apmebf[1].txt00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Clee\Cookies\clee@serving-sys[1].txt00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Clee\Cookies\clee@bs.serving-sys[2].txt00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\xu9xhmbb.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\xu9xhmbb.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\xu9xhmbb.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\xu9xhmbb.default\cookies.txt[.advertising.com/]00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\xu9xhmbb.default\cookies.txt[.advertising.com/]00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\xu9xhmbb.default\cookies.txt[.atwola.com/]00415971 Adware/Zango Adware No 0 Yes No C:\System Volume Information\_restore{A20832FC-BF04-403D-920C-E5D1A27EAB07}\RP711\A0080669.exe04123305 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{A20832FC-BF04-403D-920C-E5D1A27EAB07}\RP648\A0070805.dll;===================================================================================================================================================================================SUSPECTSSent Location !;===================================================================================================================================================================================No C:\WINDOWS\System32\actztz.dll !No C:\WINDOWS\system32\actztz.dll !No C:\WINDOWS\system32\actztz.dll !No C:\WINDOWS\system32\utkbrlte.dll !No C:\WINDOWS\system32\bgynci.dll !No C:\WINDOWS\system32\dbllfheu.dll !;===================================================================================================================================================================================VULNERABILITIESId Severity Description !;===================================================================================================================================================================================;===================================================================================================================================================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:01:14 PM, on 12/22/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\slserv.exeC:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exeC:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Media Player\WMPNSCFG.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\rundll32.exeC:\Documents and Settings\Clee\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Clee\My Documents\Setup Files\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: {e6bd0f7d-8add-325a-be84-0a89aa8b603a} - {a306b8aa-98a0-48eb-a523-dda8d7f0db6e} - C:\WINDOWS\system32\actztz.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Common Files\Motive\McciBootStrapper.exe" /url="-APPKEY=Motive -WindowContext=ReportAgent -url=file://C:\Program Files\Common Files\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\MotiveBrowser.exe" /hiddenO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-400165363-4044680512-882111554-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Glenda')O4 - HKUS\S-1-5-21-400165363-4044680512-882111554-1008\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Glenda')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: Yahoo! MahJong Solitaire - http://download2.games.yahoo.com/games/clients/y/mjst4_x.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1149275572218O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dll actztz.dllO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exeO23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe--End of file - 6573 bytes Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 24, 2008 ID:42126 Share Posted December 24, 2008 Hello and welcome to MalwareBytes forums.1. Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders. Next, un-check Hide extensions for known file types. Next un-check Hide protected operating system files. 2. Take out the trash (temporary files & temporary internet files) Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.Start ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser, do this also:Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser, do this also:Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program. ATF-Cleaner should be run per the above in every user-login account {User Profile} =Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here: http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe Double-click FixPolicies.exe. Click the "Install" button on the bottom toolbar of the box that will open. The program will create a new Folder called FixPolicies. Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd. A black box will briefly appear and then close. This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.= Start HijackThis. Look for these lines and place a checkmark against each of the following, if still presentO2 - BHO: {e6bd0f7d-8add-325a-be84-0a89aa8b603a} - {a306b8aa-98a0-48eb-a523-dda8d7f0db6e} - C:\WINDOWS\system32\actztz.dllClick on Fix Checked when finished and exit HijackThis. Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked! =Please download the OTMoveIt3 by OldTimer. Save it to your desktop. Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)::filesC:\WINDOWS\system32\actztz.dll :reg[-hkey_local_machine\software\microsoft\ms track system][-hkey_local_machine\software\microsoft\ms juan] :commands[EmptyTemp][start explorer]Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.Click the red Moveit! button.Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.Close OTMoveIt3Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.=Download ComboFix from one of these locations:Link 1Link 2Link 3* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.Reply with copies of the OTMoveIt3 log from above and the C:\Combofix.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 5, 2009 Root Admin ID:45004 Share Posted January 5, 2009 No response so I'll close this post now Link to post Share on other sites More sharing options...
Recommended Posts