Jump to content

Can't remove Vundo


Recommended Posts

I have Spybot S&D immunizing my system. Also have OfficeScan as the anti-virus (this is provided by my company, so don't have a choice here). OfficeScan doesn't find anything. S&D found Trojan.Vundo and said it removed that successfully. But Vundo keeps showing up. I then found MalwareBytes and ran that. The steps i have followed are:

1) Turn off system restore.

2) Ran Malwarebytes Quick Scan

3) Fixed problems.

I have attached the log which says is removed 2 registry entries for MS Juan and MS Track System. When I restart the sytem the registry entries come back up.

I have also tried VundoFix, VundoBeGone and Symatec's FixVundo. None of these work. Also, tried running MalwareBytes in safe mode. Didn't work.

In terms of my system, IE 6 works fine. But when I use Firefox, I get popups redirecting to sagipsul.com and these popups are opening IE windows. Don't know if this is a seperate issue.

I am attaching the MalawareBytes log and the hijackthis log:

Malwarebytes' Anti-Malware 1.32

Database version: 1646

Windows 5.1.2600 Service Pack 2

1/12/2009 2:22:17 PM

mbam-log-2009-01-12 (14-22-17).txt

Scan type: Quick Scan

Objects scanned: 99758

Time elapsed: 14 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:15:43 PM, on 1/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\lotus\notes\nslsvice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\system32\nfsclnt.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\lotus\notes\ntmulti.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\PSXRUN.EXE

C:\WINDOWS\system32\psxss.exe

C:\SFU\usr\sbin\zzInterix

C:\SFU\usr\sbin\init

C:\SFU\usr\sbin\inetd

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINDOWS\TEMP\ULDEAF.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\stsystra.exe

C:\jre1.5.0_14\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\jre1.5.0_14\bin\jucheck.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\lotus\notes\NLNOTES.EXE

C:\Program Files\lotus\notes\ntaskldr.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\regedit.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.sharepoint

O15 - Trusted Zone: http://*.sharepoint (HKLM)

O15 - ESC Trusted Zone: http://mozilla.davz.net

O15 - ESC Trusted Zone: http://i2corpinet1.i2.com

O15 - ESC Trusted Zone: http://www.mozilla.com

O15 - ESC Trusted Zone: http://sea.search.msn.com

O15 - ESC Trusted Zone: http://www.netidentity.com

O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com

O15 - ESC Trusted Zone: http://login.passport.com

O15 - ESC Trusted Zone: http://login.passport.net

O15 - ESC Trusted Zone: http://www.sysinternals.com

O15 - ESC Trusted Zone: http://mozilla.davz.net (HKLM)

O15 - ESC Trusted Zone: http://i2corpinet1.i2.com (HKLM)

O15 - ESC Trusted Zone: http://www.mozilla.com (HKLM)

O15 - ESC Trusted Zone: http://sea.search.msn.com (HKLM)

O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com (HKLM)

O15 - ESC Trusted Zone: http://login.passport.com (HKLM)

O15 - ESC Trusted Zone: http://login.passport.net (HKLM)

O16 - DPF: fdba39af-b1d4-41ab-b45e-ff4bb5755336 - https://icm.i2.com//Downloads/cmW32client.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://dlwsis02/aspnet_client/Altiris_AppW...ib/mcsimenu.CAB

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055187531

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055178937

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://dlwsis02/aspnet_client/Altiris_AppW...lib/VSFlex8.CAB

O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://extranet.i2.com/nortel_cacheable/NetDirect.cab

O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://extranet.i2.com/nortel_cacheable/iewiper.cab

O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://i2corpmail11.i2.com/dwa7W.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T25L/webex/ieatgpc.cab

O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://dlwsis02/aspnet_client/Altiris_AppW...eXClipboard.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i2.com

O17 - HKLM\Software\..\Telephony: DomainName = i2.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = i2.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = i2.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: AMINIT.dll C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL xoovts.dll

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\i2 VPN Access\Extranet_serv.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: i2 CIS 6.3 Agent 5015 (i2_CIS_6.3_Agent_5015) - Macrovision - C:\i2\CIS\6.3\NTServiceScripts\CISAgent.exe

O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleDBConsoleorcl - Unknown owner - D:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe (file missing)

O23 - Service: OracleOraDb11g_home1TNSListener - Unknown owner - D:\oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe (file missing)

O23 - Service: OracleServiceORCL - Unknown owner - d:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE (file missing)

O23 - Service: Sonexis Application Sharing Driver Service - Sonexis, Inc. - C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: Transportation Manager Process Monitor (TmProcMonSrvc) - Unknown owner - C:\WINDOWS\system32\TmProcMonSrvc.exe (file missing)

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 14747 bytes

Link to post
Share on other sites

  • Root Admin

You need to disable Tea Timer to make some changes. Then you also need to remove all old versions of Java and Acrobat Reader

Also are all of the DNS entries for i2.com your Company ? If not they need to be removed possibly by a special tool.

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.
Link to post
Share on other sites

While awaiting your reply I tried a few things, and I think I may have been successful in removing the trojan. Here are the steps I took:

1) Disabled Teatimer

2) Disabled system restore

3) There were two entries I fixed using Hijackthis

BHO - {no name} - {xxxxxxxxxxxxxxxxxxx....}

O20 - AppInit <3 DLLs>

4) Restarted the system

5) ran mbam quick Scan - 2 problems showed up as above. fixed these

6) Restarted system.

This seems to have fixed the issue since the MS Juan and MS Track System don't show up anymore. Also, there is no popup issue with firefox. And Vundo does not show up in S&D or mbam.After all this, I turned on TeaTimer.

I just ran HijackThis and the following entry showed up...I had fixed a similar entry in hijackthis previously:

O2 - BHO: (no name) - {E389CDA1-7ED6-4605-B9A6-9E648714D623} - (no file)

So has Vundo gone away or just hiding to fight another day?

Also, the i need these java versions for my work since I need to work on older java versions for some older products.

Thanks for all your help.

Just attaching the latest mbam and hjt logs for yr reference:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:30:46 PM, on 1/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\lotus\notes\nslsvice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\system32\nfsclnt.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\lotus\notes\ntmulti.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\PSXRUN.EXE

C:\WINDOWS\system32\psxss.exe

C:\SFU\usr\sbin\zzInterix

C:\SFU\usr\sbin\init

C:\SFU\usr\sbin\inetd

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINDOWS\TEMP\KEF157.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\stsystra.exe

C:\jre1.5.0_14\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\jre1.5.0_14\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\EditPlus 2\editplus.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.sharepoint

O15 - Trusted Zone: http://*.sharepoint (HKLM)

O15 - ESC Trusted Zone: http://mozilla.davz.net

O15 - ESC Trusted Zone: http://i2corpinet1.i2.com

O15 - ESC Trusted Zone: http://www.mozilla.com

O15 - ESC Trusted Zone: http://sea.search.msn.com

O15 - ESC Trusted Zone: http://www.netidentity.com

O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com

O15 - ESC Trusted Zone: http://login.passport.com

O15 - ESC Trusted Zone: http://login.passport.net

O15 - ESC Trusted Zone: http://www.sysinternals.com

O15 - ESC Trusted Zone: http://mozilla.davz.net (HKLM)

O15 - ESC Trusted Zone: http://i2corpinet1.i2.com (HKLM)

O15 - ESC Trusted Zone: http://www.mozilla.com (HKLM)

O15 - ESC Trusted Zone: http://sea.search.msn.com (HKLM)

O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com (HKLM)

O15 - ESC Trusted Zone: http://login.passport.com (HKLM)

O15 - ESC Trusted Zone: http://login.passport.net (HKLM)

O16 - DPF: fdba39af-b1d4-41ab-b45e-ff4bb5755336 - https://icm.i2.com//Downloads/cmW32client.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://dlwsis02/aspnet_client/Altiris_AppW...ib/mcsimenu.CAB

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055187531

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055178937

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://dlwsis02/aspnet_client/Altiris_AppW...lib/VSFlex8.CAB

O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://extranet.i2.com/nortel_cacheable/NetDirect.cab

O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://extranet.i2.com/nortel_cacheable/iewiper.cab

O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://i2corpmail11.i2.com/dwa7W.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T25L/webex/ieatgpc.cab

O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://dlwsis02/aspnet_client/Altiris_AppW...eXClipboard.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i2.com

O17 - HKLM\Software\..\Telephony: DomainName = i2.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = i2.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = i2.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\i2 VPN Access\Extranet_serv.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: i2 CIS 6.3 Agent 5015 (i2_CIS_6.3_Agent_5015) - Macrovision - C:\i2\CIS\6.3\NTServiceScripts\CISAgent.exe

O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleDBConsoleorcl - Unknown owner - D:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe (file missing)

O23 - Service: OracleOraDb11g_home1TNSListener - Unknown owner - D:\oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe (file missing)

O23 - Service: OracleServiceORCL - Unknown owner - d:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE (file missing)

O23 - Service: Sonexis Application Sharing Driver Service - Sonexis, Inc. - C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: Transportation Manager Process Monitor (TmProcMonSrvc) - Unknown owner - C:\WINDOWS\system32\TmProcMonSrvc.exe (file missing)

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 14521 bytes

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:30:46 PM, on 1/12/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\lotus\notes\nslsvice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

C:\WINDOWS\system32\nfsclnt.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\lotus\notes\ntmulti.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\PSXRUN.EXE

C:\WINDOWS\system32\psxss.exe

C:\SFU\usr\sbin\zzInterix

C:\SFU\usr\sbin\init

C:\SFU\usr\sbin\inetd

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINDOWS\TEMP\KEF157.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\stsystra.exe

C:\jre1.5.0_14\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\jre1.5.0_14\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\EditPlus 2\editplus.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.sharepoint

O15 - Trusted Zone: http://*.sharepoint (HKLM)

O15 - ESC Trusted Zone: http://mozilla.davz.net

O15 - ESC Trusted Zone: http://i2corpinet1.i2.com

O15 - ESC Trusted Zone: http://www.mozilla.com

O15 - ESC Trusted Zone: http://sea.search.msn.com

O15 - ESC Trusted Zone: http://www.netidentity.com

O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com

O15 - ESC Trusted Zone: http://login.passport.com

O15 - ESC Trusted Zone: http://login.passport.net

O15 - ESC Trusted Zone: http://www.sysinternals.com

O15 - ESC Trusted Zone: http://mozilla.davz.net (HKLM)

O15 - ESC Trusted Zone: http://i2corpinet1.i2.com (HKLM)

O15 - ESC Trusted Zone: http://www.mozilla.com (HKLM)

O15 - ESC Trusted Zone: http://sea.search.msn.com (HKLM)

O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com (HKLM)

O15 - ESC Trusted Zone: http://login.passport.com (HKLM)

O15 - ESC Trusted Zone: http://login.passport.net (HKLM)

O16 - DPF: fdba39af-b1d4-41ab-b45e-ff4bb5755336 - https://icm.i2.com//Downloads/cmW32client.cab

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://dlwsis02/aspnet_client/Altiris_AppW...ib/mcsimenu.CAB

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055187531

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204055178937

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {74233DB3-F72F-44EA-94DC-258A624037E6} (ComponentOne FlexGrid 8.0 (UNICODE Light)) - http://dlwsis02/aspnet_client/Altiris_AppW...lib/VSFlex8.CAB

O16 - DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} (NetDirect) - https://extranet.i2.com/nortel_cacheable/NetDirect.cab

O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - https://extranet.i2.com/nortel_cacheable/iewiper.cab

O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://i2corpmail11.i2.com/dwa7W.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/T25L/webex/ieatgpc.cab

O16 - DPF: {FDF527BA-DDDA-11D3-AA82-006094EB09CB} (Altiris Clipboard Helper) - http://dlwsis02/aspnet_client/Altiris_AppW...eXClipboard.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i2.com

O17 - HKLM\Software\..\Telephony: DomainName = i2.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = i2.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = i2.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\i2 VPN Access\Extranet_serv.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: i2 CIS 6.3 Agent 5015 (i2_CIS_6.3_Agent_5015) - Macrovision - C:\i2\CIS\6.3\NTServiceScripts\CISAgent.exe

O23 - Service: Iap - Dell Inc. - C:\Program Files\Dell\OpenManage\Client\Iap.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleDBConsoleorcl - Unknown owner - D:\oracle\product\11.1.0\db_1\bin\nmesrvc.exe (file missing)

O23 - Service: OracleOraDb11g_home1TNSListener - Unknown owner - D:\oracle\product\11.1.0\db_1\BIN\TNSLSNR.exe (file missing)

O23 - Service: OracleServiceORCL - Unknown owner - d:\oracle\product\11.1.0\db_1\bin\ORACLE.EXE (file missing)

O23 - Service: Sonexis Application Sharing Driver Service - Sonexis, Inc. - C:\Program Files\Sonexis\ApplicationSharing\AppDriverService.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: Transportation Manager Process Monitor (TmProcMonSrvc) - Unknown owner - C:\WINDOWS\system32\TmProcMonSrvc.exe (file missing)

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 14521 bytes

Link to post
Share on other sites

just realized i didn't attach the latest mbam log:

Malwarebytes' Anti-Malware 1.32

Database version: 1646

Windows 5.1.2600 Service Pack 2

1/12/2009 6:07:45 PM

mbam-log-2009-01-12 (18-07-45).txt

Scan type: Quick Scan

Objects scanned: 98740

Time elapsed: 14 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

You need to disable Tea Timer and keep it off.

I don't mind myself as most people have way too many BHO but just because it says the file is not found does not mean it's not there and does not mean that it's bad either. Just so others know that come along and read this. Please DO NOT do removals on your own as you can remove items that do belong.

Please be patient as there are many users to help as well.

Well I can understand the Java issues but just realize that they are known to have code flaws that Malware takes advantage of and can infect your system by having older versions on the system.

You will need to write down your current Network settings as you need to run this tool to repair a DNS hijack on your system which will remove all the current zone information.

Please pay attention to the instructions as it needs to be run in Safe Mode to fix things.

Please download and run this tool. Follow the instructions provided on the page

SmitFraudFix

Direct download link: siri.urz.free.fr/Fix/SmitfraudFix.exe

Then, please hold off on doing any other fixes on your own, and be patient. I'll get back to you as soon as I can.

Link to post
Share on other sites

  • Root Admin

Yes, you have an entry that is from Malware. But I may have you run this other tool as the SmitFraud is not always removing that entry depending on what else is on the box.

When this tool is done please run another MBAM update and Quick Scan and a new HJT log.

icon_arrow.gifIf you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • If and only if you are prompted to download a new version of Combofix, reply NO .
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.