TheTechGuide Forum

General Category => Tech Clinic => Topic started by: GLP on June 27, 2007, 04:52:09 AM

Title: Vundo infection
Post by: GLP on June 27, 2007, 04:52:09 AM

Hi all,
 Managed to catch the vundo trojan the other day - I've run spybot, vundofix, combifix, atf cleaner etc and hopefully cleaned the machine....

Heres a HJT log - can someone check this out and let me know if there's anything else I need to do ... your help is greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 10:43, on 2007-06-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\llo36863\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en (http://\"http://www.google.co.uk/ig?hl=en\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mimi.mottmac.com (http://\"http://mimi.mottmac.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ukcolopxLB.mottmac.group.int:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mottmac.com;*.mottmac.group.int;*.group.int;194.60.85.*;10.*;138.104.*;192.1.2
.247;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F558093-6F50-4E45-8360-E3C0B6D5C638} - C:\WINDOWS\system32\geede.dll (file missing)
O2 - BHO: (no name) - {48D77D62-67BC-4FDC-B428-EF4219AEF5B0} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {59415563-2A4D-4C59-8774-4329D298410A} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8D99D2A3-317C-4929-8A5D-21140259D93A} - (no file)
O2 - BHO: (no name) - {E65173BB-4000-4E0F-9FB4-5EF6669BB49D} - C:\WINDOWS\system32\pmkjk.dll (file missing)
O2 - BHO: (no name) - {F67899AE-3B79-4542-A892-39D408706202} - C:\WINDOWS\system32\awtqn.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Lawson - {D928FCC0-F8A5-11d2-9041-00A024FF64ED} - C:\WINDOWS\system32\LawsonIE.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mimi.mottmac.com
O15 - Trusted Zone: http://*.mimi (http://\"http://*.mimi\")
O15 - Trusted Zone: http://*.fifi.mottmac.com (http://\"http://*.fifi.mottmac.com\")
O15 - Trusted Zone: http://contacts.mottmac.com (http://\"http://contacts.mottmac.com\")
O15 - Trusted Zone: http://grouptracker.mottmac.com (http://\"http://grouptracker.mottmac.com\")
O15 - Trusted Zone: http://marketqa.mottmac.com (http://\"http://marketqa.mottmac.com\")
O15 - Trusted Zone: http://mimi.mottmac.com (http://\"http://mimi.mottmac.com\")
O15 - Trusted Zone: http://*.mottmac.com (http://\"http://*.mottmac.com\")
O15 - Trusted Zone: http://*.mimi (http://\"http://*.mimi\") (HKLM)
O15 - Trusted Zone: http://*.fifi.mottmac.com (http://\"http://*.fifi.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://contacts.mottmac.com (http://\"http://contacts.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://fifi.mottmac.com (http://\"http://fifi.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://grouptracker.mottmac.com (http://\"http://grouptracker.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://marketqa.mottmac.com (http://\"http://marketqa.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://mimi.mottmac.com (http://\"http://mimi.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://misapp1.mottmac.com (http://\"http://misapp1.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://misapp2.mottmac.com (http://\"http://misapp2.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://*.mottmac.com (http://\"http://*.mottmac.com\") (HKLM)
O15 - Trusted IP range: http://138.104.6 (http://\"http://138.104.6\").* (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (http://\"http://www.linkedin.com/cab/LinkedInContactFinderControl.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.Email (http://\"http://by134fd.bay134.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab (http://\"http://www.adobe.com/products/acrobat/nos/gp.cab\")
O16 - DPF: {F5CD0EBF-31FB-4BEA-B9AD-085A3C4F4E2C} (VoyagerCtl Class) - https://www.promapserver.co.uk/controls/latest/Voyager.cab (http://\"https://www.promapserver.co.uk/controls/latest/Voyager.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mottmac.group.int
O17 - HKLM\Software\..\Telephony: DomainName = mottmac.group.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mottmac.group.int
O20 - Winlogon Notify: ddabc - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkjk - C:\WINDOWS\
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Title: Vundo infection
Post by: guestolo on June 27, 2007, 09:37:52 PM

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {0F558093-6F50-4E45-8360-E3C0B6D5C638} - C:\WINDOWS\system32\geede.dll (file missing)
O2 - BHO: (no name) - {48D77D62-67BC-4FDC-B428-EF4219AEF5B0} - C:\WINDOWS\system32\awtqp.dll (file missing)

O2 - BHO: (no name) - {59415563-2A4D-4C59-8774-4329D298410A} - C:\WINDOWS\system32\ddabc.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8D99D2A3-317C-4929-8A5D-21140259D93A} - (no file)
O2 - BHO: (no name) - {E65173BB-4000-4E0F-9FB4-5EF6669BB49D} - C:\WINDOWS\system32\pmkjk.dll (file missing)
O2 - BHO: (no name) - {F67899AE-3B79-4542-A892-39D408706202} - C:\WINDOWS\system32\awtqn.dll (file missing)
O20 - Winlogon Notify: ddabc - C:\WINDOWS\

O20 - Winlogon Notify: pmkjk - C:\WINDOWS\


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in windows
Post a fresh hijackthis log

Can you also post the log from combofix>>C:\Combofix.txt

I take it you know the domain .mottmac.com?
Is this your business domain, just double checking

Also, I've only seen this entry in one other log, it could very well be legit
Can you scan this file for me please
go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
OR
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")

Use the browse button and navigate to the file on your harddrive
C:\WINDOWS\system32\LawsonIE.dll<-this file

Right click on the file,  and choose Select>>or double click on it
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

Title: Vundo infection
Post by: GLP on June 29, 2007, 03:21:22 AM

Sorry for the delay - but I wasnt in work yesterday and therefore didnt have access to the infected machine.

Your comments:

[color=\"#ff8c00\"]Post a fresh hijackthis log[/color] - See below

[color=\"#ff8c00\"]Can you also post the log from combofix>>C:\Combofix.txt[/color] - See below HJTlog

[color=\"#ff8c00\"]I take it you know the domain .mottmac.com?[/color] - Yes it's the company domain. Fully trusted.

[color=\"#ff8c00\"]Also, I've only seen this entry in one other log, it could very well be legit
C:\WINDOWS\system32\LawsonIE.dll<-this file[/color] -

<H2 style="MARGIN: auto 0cm auto 36pt">[font=\"Times New Roman\"]Lawson is a a software installled on all our PCs by the company as it is used in the generation of electronic forms..... see below...
[font=\"Times New Roman\"][/font]
Updates Provided[/font]</H2>[font=\"Times New Roman\"]This release contains the following updates:[/font]

<H3 style="MARGIN: auto 0cm auto 36pt">[font=\"Times New Roman\"]Desktop and Toolkit components[/font]</H3>[font=\"Times New Roman\"]Component[/font]

[font=\"Times New Roman\"]Change description - (*) means regen required[/font]

[font=\"Times New Roman\"]BOBject.ocx[/font]

[font=\"Times New Roman\"]Enhancement of tellme.bob logging:
  - location of file is now <program folder>\logs
  - all forms toggle on/off with hotkey (Ctrl+Alt+L)[/font]

[font=\"Times New Roman\"]DetailControl.ocx[/font]

[font=\"Times New Roman\"](*) PT 66228: Resolves problem where detail columns are sometimes blanked out.
Repairs problem with DrillSelect returning a 'Server error...' when data contains special characters misinterpreted by the browser.
PT 67819: Special action not visible on Special Action menu. (PA52; V)
PT 68233: Hot keys regression issue. [/font]

[font=\"Times New Roman\"]DrillXPlore.ocx[/font]

[font=\"Times New Roman\"]PT 67913: Down arrow on select broken (MA60.2).[/font]

[font=\"Times New Roman\"]FieldData.dll[/font]

[font=\"Times New Roman\"]PT 66765: Resolves issues with some key data not being passed from one form to another.
Changes of date formatting for international support.[/font]

[font=\"Times New Roman\"]LawAttachments.dll[/font]

[font=\"Times New Roman\"](*) PT 66236: Changed to support form and row level attachments.
(*) PT 68151: Display creation/modification/UserID info.
      PT 68151: Follow up to provide creation and modified
username information for an attachment record.[/font]

[font=\"Times New Roman\"]LawRptCtrl.ocx[/font]

[font=\"Times New Roman\"]PT 67945: Token column not displaying the token number
within the completed jobs screen.
PT 66960: Resolves problem for reports with more than 50 pages do not have navigation.[/font]

[font=\"Times New Roman\"]LawsonCombo.ocx[/font]

[font=\"Times New Roman\"]Changes for TextValList versus DBValList.[/font]

[font=\"Times New Roman\"]LawsonDate.ocx[/font]

[font=\"Times New Roman\"]PT#68736 - Detect partial and invalid dates entered into Lawson date controls.[/font]

[font=\"Times New Roman\"]LawsonIE.dll
(WebBand)[/font]

[font=\"Times New Roman\"]A menu item is provided to link to server-based on-line help manuals.[/font]

[font=\"Times New Roman\"]LawsonXlate.ocx[/font]

[font=\"Times New Roman\"]PT 67549: Resolves problem of field labels shifting on the form when not all translations are provided.[/font]

[font=\"Times New Roman\"][/font]

[font="Times New Roman"]Translate initially available command buttons. Also, when a translation phrase is not available, the original phrase is used.[/font]



Logfile of HijackThis v1.99.1
Scan saved at 09:05, on 2007-06-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\llo36863\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en (http://\"http://www.google.co.uk/ig?hl=en\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mimi.mottmac.com (http://\"http://mimi.mottmac.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ukcolopxLB.mottmac.group.int:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mottmac.com;*.mottmac.group.int;*.group.int;194.60.85.*;10.*;138.104.*;192.1.2
.247;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Lawson - {D928FCC0-F8A5-11d2-9041-00A024FF64ED} - C:\WINDOWS\system32\LawsonIE.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mimi.mottmac.com
O15 - Trusted Zone: http://*.mimi (http://\"http://*.mimi\")
O15 - Trusted Zone: http://*.fifi.mottmac.com (http://\"http://*.fifi.mottmac.com\")
O15 - Trusted Zone: http://contacts.mottmac.com (http://\"http://contacts.mottmac.com\")
O15 - Trusted Zone: http://grouptracker.mottmac.com (http://\"http://grouptracker.mottmac.com\")
O15 - Trusted Zone: http://marketqa.mottmac.com (http://\"http://marketqa.mottmac.com\")
O15 - Trusted Zone: http://mimi.mottmac.com (http://\"http://mimi.mottmac.com\")
O15 - Trusted Zone: http://*.mottmac.com (http://\"http://*.mottmac.com\")
O15 - Trusted Zone: http://*.mimi (http://\"http://*.mimi\") (HKLM)
O15 - Trusted Zone: http://*.fifi.mottmac.com (http://\"http://*.fifi.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://contacts.mottmac.com (http://\"http://contacts.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://fifi.mottmac.com (http://\"http://fifi.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://grouptracker.mottmac.com (http://\"http://grouptracker.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://marketqa.mottmac.com (http://\"http://marketqa.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://mimi.mottmac.com (http://\"http://mimi.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://misapp1.mottmac.com (http://\"http://misapp1.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://misapp2.mottmac.com (http://\"http://misapp2.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://*.mottmac.com (http://\"http://*.mottmac.com\") (HKLM)
O15 - Trusted IP range: http://138.104.6 (http://\"http://138.104.6\").* (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (http://\"http://www.linkedin.com/cab/LinkedInContactFinderControl.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.Email (http://\"http://by134fd.bay134.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab (http://\"http://www.adobe.com/products/acrobat/nos/gp.cab\")
O16 - DPF: {F5CD0EBF-31FB-4BEA-B9AD-085A3C4F4E2C} (VoyagerCtl Class) - https://www.promapserver.co.uk/controls/latest/Voyager.cab (http://\"https://www.promapserver.co.uk/controls/latest/Voyager.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mottmac.group.int
O17 - HKLM\Software\..\Telephony: DomainName = mottmac.group.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mottmac.group.int
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Combo Fix log:=

"LLO36863" - 2007-06-27 10:27:24 - ComboFix 07-06-27.7 - Service Pack 2  NTFS  


((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\opnolii.dll
C:\WINDOWS\system32\urqrsqp.dll


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

(((((((((((((((((((((((((   Files Created from 2007-05-27 to 2007-06-27  )))))))))))))))))))))))))))))))


2007-06-27 10:26 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 08:54 66,112 --a------ C:\WINDOWS\system32\jodjwjfe.dll
2007-06-27 08:49 128,576 --a------ C:\WINDOWS\system32\webxwvxh.dll
2007-06-26 12:38 <DIR> d-------- C:\Program Files\Messenger
2007-06-26 12:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-25 15:59 <DIR> d-------- C:\VundoFix Backups
2007-06-25 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-25 10:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-25 10:04 4,672 --a------ C:\WINDOWS\system32\teekxecc.exe
2007-06-25 09:19 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-25 09:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-19 17:15 <DIR> d-------- C:\DOCUME~1\llo36863\APPLIC~1\Help
2007-06-19 16:55 <DIR> d-------- C:\DOCUME~1\llo36863\APPLIC~1\MapInfo
2007-06-11 13:21 <DIR> d-------- C:\Program Files\Virtual Earth 3D


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 09:30:32 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-26 14:11:08 -------- d-----w C:\Program Files\BeClean
2007-06-20 13:28:39 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\ICAClient
2007-05-23 08:58:25 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\Wallingford Software
2007-05-22 16:05:06 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\Teleca
2007-05-22 16:04:44 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\Sony Ericsson
2007-05-22 16:02:18 -------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-05-22 16:01:52 -------- d-----w C:\Program Files\Sony Ericsson
2007-05-18 10:24:41 -------- d-----w C:\DOCUME~1\llo36863\APPLIC~1\AdobeUM
2007-05-17 14:44:50 -------- d-----w C:\Program Files\IVT Corporation
2007-05-17 14:44:49 -------- d--h--w C:\Program Files\InstallShield Installation Information


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0F558093-6F50-4E45-8360-E3C0B6D5C638}=C:\WINDOWS\system32\geede.dll []
{48D77D62-67BC-4FDC-B428-EF4219AEF5B0}=C:\WINDOWS\system32\awtqp.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{59415563-2A4D-4C59-8774-4329D298410A}=C:\WINDOWS\system32\ddabc.dll []
{E65173BB-4000-4E0F-9FB4-5EF6669BB49D}=C:\WINDOWS\system32\pmkjk.dll []
{F67899AE-3B79-4542-A892-39D408706202}=C:\WINDOWS\system32\awtqn.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 21:39 C:\WINDOWS\RTHDCPL.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 20:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33]
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"1"="C:\Program Files\Internet Explorer\IEXPLORE.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddabc]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjk]

 

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-06-27 10:30:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-27 10:31:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-27 10:31

 --- E O F ---

Title: Vundo infection
Post by: GLP on June 29, 2007, 03:28:04 AM

Oh yeah - and thanks for all the time and effort spent checking this out for me - it's really appreciated.:-)

Title: Vundo infection
Post by: guestolo on June 29, 2007, 08:22:45 AM

Quote

Lawson is a a software installled on all our PCs by the company as it is used in the generation of electronic forms

Thank you for the info

I'm just on my way to work
In the meantime, can you do the following please

From below, download and save Find_it.zip, then UNZIP to your desktop
Find_it.bat
Double click on Find_It.bat
A dos window will open, scan quickly and then close
When it's done a folder will be placed on your desktop if it already doesn't exist
Called Files
Can you open the Files folder, inside will be a file called Look1.txt
Open the file and copy and paste back the whole contents please

Also, the files are probably bad, but can we scan them please to double check
go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
OR
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")

scan these files
C:\WINDOWS\system32\jodjwjfe.dll
C:\WINDOWS\system32\webxwvxh.dll
C:\WINDOWS\system32\teekxecc.exe

Post back the results

Title: Vundo infection
Post by: GLP on June 29, 2007, 09:01:21 AM

I've scanned all the files - I've attached a txt file below with the results.

I cant seem to download your find_it.bat file - keeps coming up as Corrupt.

I'll have another go but heres the txt file

[attachment=3243:scans.txt]

After 5pm UK time I'll not be in work till Monday so any further actions will have to wait till next week.

Cheers for your patience.

Title: Vundo infection
Post by: guestolo on June 29, 2007, 09:09:48 AM

The file is corrupt for me too if I use IE, but works fine with Firefox?

Can you do the following instead
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as findit.bat

Save this file on the desktop

 

Code: [Select]

If not Exist files MkDir Files

echo doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run >files\ok2.txt

regedit /a files\ok2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"


echo doesn't exist HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run >files\ok3.txt

regedit /a files\ok3.txt "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run"


echo doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >files\ok4.txt

regedit /a files\ok4.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"


echo doesn't exist HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole >files\ok6.txt

regedit /a files\ok6.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"


echo doesn't exist HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa >files\ok7.txt

regedit /a files\ok7.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"

cd files

copy *.txt = look.txt

del ok*.txt

Echo REGEDIT4 > compare.txt
 
Type look.txt | find  /v /i "REGEDIT4" >> compare.txt
Type compare.txt | find  /i "doesn't exist " >> compare2.txt
Type compare.txt | find  /v /i "doesn't exist" >> compare1.txt

Echo ----------------------- >compare3.txt
Echo ----------------------- >> compare3.txt

del compare.txt

Copy compare2.txt + compare3.txt + compare1.txt = look1.txt

del look.txt
del compare2.txt
del compare1.txt
del compare3.txt

Then follow the instructions with findit.bat

P.S. This time I really am on my way out the door
Have a good weekend

Title: Vundo infection
Post by: GLP on June 29, 2007, 09:21:03 AM

P.S. This time I really am on my way out the door
Have a good weekend
[/quote]


heres the result. You have a good weekend too.

-----------------------
-----------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
  73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
  00
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"1"="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
@=""


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,5c,00,00,00,6c,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,48,00,03,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,05,04,00,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
  00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
  14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
  00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
  63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:0000035c
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
  50,72,6f,76,69,64,65,72,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
  33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:60,34,4e,2c,eb,2f,5b,34,7d,5e,9d,ab,45,83,fd,78,34,32,31,31,36,\
  35,31,64,00,00,00,00,ae,ba,00,00,9c,d1,1b,00,99,d0,bf,71,88,d1,1b,00,10,00,\
  00,00,00,00,00,00,dd,1f,7c,bd,f0,09,11,45,d7,98,1e,42

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:19,ad,90,cf,38,30,63,56,74

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:c3,85,eb,b0,fe,31

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:fc,b8,ed,bc,d5,e6,88,15,02,00,75,00,76,46,23,bf

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:c2,68,2f,43,64,fa,c5,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,e0,60,91,1a,7a,c4,01
"Type"=dword:00000031



Title: Vundo infection
Post by: guestolo on July 01, 2007, 09:49:46 PM

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
00
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

Double click on fix.reg and allow to add/merge to the registry at the prompt

Download [color=\"blue\"]OTMoveIt[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe\") by OldTimer:

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
  ================================================
  
  C:\WINDOWS\system32\jodjwjfe.dll
  C:\WINDOWS\system32\webxwvxh.dll
  C:\WINDOWS\system32\teekxecc.exe
  
  ======================================================
  
• Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  
• Click the red "[color=\"red\"]MoveIt![/color]" button.
  
• Close OTMoveIt.
  

[color=\"red\"]Note[/color]:  If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

OTMoveIt will create a log here

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.
Can you post that log please along with one last hijackthis log

Keep me informed how things are running please

Title: Vundo infection
Post by: GLP on July 02, 2007, 02:59:03 AM

[quote name=\'guestolo\' post=\'348741\' date=\'Jul 2 2007, 02:49 AM\']Can you post that log please along with one last hijackthis log

Keep me informed how things are running please[/quote]

DllUnregisterServer procedure not found in C:\WINDOWS\system32\jodjwjfe.dll
C:\WINDOWS\system32\jodjwjfe.dll NOT unregistered.
C:\WINDOWS\system32\jodjwjfe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\webxwvxh.dll
C:\WINDOWS\system32\webxwvxh.dll NOT unregistered.
C:\WINDOWS\system32\webxwvxh.dll moved successfully.
C:\WINDOWS\system32\teekxecc.exe moved successfully.
 
Created on 07-02-2007 08:56:40

& one last HJT log

Logfile of HijackThis v1.99.1
Scan saved at 08:57, on 2007-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\llo36863\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en (http://\"http://www.google.co.uk/ig?hl=en\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mimi.mottmac.com (http://\"http://mimi.mottmac.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ukcolopxLB.mottmac.group.int:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mottmac.com;*.mottmac.group.int;*.group.int;194.60.85.*;10.*;138.104.*;192.1.2
.247;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Lawson - {D928FCC0-F8A5-11d2-9041-00A024FF64ED} - C:\WINDOWS\system32\LawsonIE.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mimi.mottmac.com
O15 - Trusted Zone: http://*.mimi
O15 - Trusted Zone: http://*.fifi.mottmac.com
O15 - Trusted Zone: http://contacts.mottmac.com (http://\"http://contacts.mottmac.com\")
O15 - Trusted Zone: http://grouptracker.mottmac.com (http://\"http://grouptracker.mottmac.com\")
O15 - Trusted Zone: http://marketqa.mottmac.com (http://\"http://marketqa.mottmac.com\")
O15 - Trusted Zone: http://mimi.mottmac.com (http://\"http://mimi.mottmac.com\")
O15 - Trusted Zone: http://*.mottmac.com
O15 - Trusted Zone: http://*.mimi (HKLM)
O15 - Trusted Zone: http://*.fifi.mottmac.com (HKLM)
O15 - Trusted Zone: http://contacts.mottmac.com (http://\"http://contacts.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://fifi.mottmac.com (http://\"http://fifi.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://grouptracker.mottmac.com (http://\"http://grouptracker.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://marketqa.mottmac.com (http://\"http://marketqa.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://mimi.mottmac.com (http://\"http://mimi.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://misapp1.mottmac.com (http://\"http://misapp1.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://misapp2.mottmac.com (http://\"http://misapp2.mottmac.com\") (HKLM)
O15 - Trusted Zone: http://*.mottmac.com (HKLM)
O15 - Trusted IP range: http://138.104.6.* (http://\"http://138.104.6.*\") (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (http://\"http://www.linkedin.com/cab/LinkedInContactFinderControl.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.Email (http://\"http://by134fd.bay134.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab (http://\"http://www.adobe.com/products/acrobat/nos/gp.cab\")
O16 - DPF: {F5CD0EBF-31FB-4BEA-B9AD-085A3C4F4E2C} (VoyagerCtl Class) - https://www.promapserver.co.uk/controls/latest/Voyager.cab (http://\"https://www.promapserver.co.uk/controls/latest/Voyager.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mottmac.group.int
O17 - HKLM\Software\..\Telephony: DomainName = mottmac.group.int
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mottmac.group.int
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thank you once again.

Brilliant!!

Title: Vundo infection
Post by: guestolo on July 02, 2007, 10:04:10 AM

Some final recommendations:

Your log shows no indication of what version of Java you have installed
But I will assume you have older versions
Older versions have vulnerabilities that malware can use to infect your system
The latest is Java 6 update 1
Here are the normal steps for updating

• Download the latest version of   Java(tm) SE Runtime Environment 6 Update 1 (http://\"http://www.java.com/en/download/manual.jsp\").
  
• Select the Offline Download
• Click on the  [color=\"#4169E1\"]Windows XP/Vista/2000/2003 Offline[/color] * filesize: 13.16 MB and save it too desktop
  
• Close any programs you may have running - especially any web browsers.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.

Don't install the new version yet

Let's clear an orphan entry in Hijackthis
Do a "System scan only" with Hijackthis and put a check next to these entries:

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -


Optionally, you can tick the next one also, not malicious, decide if you need it running on startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Quote

Application which launches common MS Office components to help speed up the launch of Office programs.   It's somewhat of a resource hog  and some users claim there's no difference with or without it but it usually isn't required - Note:  if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show.

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

If everything is running better
Please do the following
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name(any name) and click Create, let it finish
When that's done>>Exit

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

==Install the latest version of Java from the installer on your desktop
After installation you can delete the installer

You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  
This tool does not need to run in the background to help protect your computer
 

*It Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

In addition:Open Spybot 1.4
Click on the Immunize button>>OK>>Click on Immunize at the top green cross
Do that after every update
NOTE: If there are other users on this computer
Log into their account also and enable protection with Spywareblaster and Immunize with Spybot

Removal of tools that we used:
You can manually delete findit.bat, fix.reg and the 'files' folder  from desktop

Double click on OTMoveit.exe to run the program
Click the Cleanup! button
A list will be downloaded
Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Either select Yes to reboot Now or you can choose No to reboot later if preferred

After reboot you can empty your recycle bin

I hope that helps  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Vundo infection
Post by: GLP on July 02, 2007, 11:02:03 AM

[quote name=\'guestolo\' post=\'348904\' date=\'Jul 2 2007, 03:04 PM\']Some final recommendations:
I hope that helps  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />[/quote]


Thank you very much indeed. Machine running smoothly and quickly now.

If you ever need a reference please let me know.

Brilliant.

Cheers friend.  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: Vundo infection
Post by: guestolo on July 02, 2007, 12:09:23 PM

Your welcome, glad to help
I'll lock this topic as your problems appear resolved
Take care GLP  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />