« previous next »
Pages: [1] 2

Author Topic: Vundo infection?  (Read 2046 times)

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« on: June 15, 2007, 09:57:36 AM »
Hi there,

I would sincerely appreciate it if you could help me with this problem:

My daughter uses Wndows Live Messenger to communicate with her schoolmates. Apparently she clicked on a link (as her schoolmates have suffered from the same "problem") and with that action something was copied into the computer.
"It" results in blocking the log-in functionality when starting Windows Live Messenger again ("It" does not seem to 'control' any other program) and it shows to files on the "Bureaublad" (is dutch for "Desk"?): doc.exe and mon.exe. When you delete these two files they reappear after restarting the computer and/or starting Windows Live Messenger.
I Use Mcafee antivirus and this gives a message that it removed "Vundo" when starting Windows Live Messenger.

I discovered that my 'recovery'-option of windows was NOT on so I could not go back to the situation before the infection.

I also used HitmanPro and all that belongs to it to try to 'clean' whatever is there. But I seem to lack sufficient knowledge of what I am exactly doing. So you are my last resort at this time. I downloaded HJT and produced the following log. Hope you can help as you did two years ago.

Logfile of HijackThis v1.99.1
Scan saved at 16:39:59, on 15-6-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] "C:\WINDOWS\p_981116.exe" /Q:A
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe"
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo infection?
« Reply #1 on: June 15, 2007, 07:05:32 PM »
Hi again rosedaniels, can you do the following please

Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,  click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

I'll need to see this report from Vundofix later>>C:\Vundofix.txt

Next:
Then, Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back the following
1. Post the log from combofix
2. Post the report from vundofix
3. Post a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #2 on: June 17, 2007, 12:31:10 PM »
[quote name=\'guestolo\' post=\'341320\' date=\'Jun 16 2007, 02:05 AM\']Hi again rosedaniels, can you do the following please

Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,  click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

I'll need to see this report from Vundofix later>>C:\Vundofix.txt[/quote]


OK first step has been done:

Vundofix said : No files found
However I did click "Remove Vundo" with ofcourse no result.

here is the log file:


VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 17:15:12 14-6-2007

Listing files found while scanning....


Beginning removal...

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 17:22:25 14-6-2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 18:42:34 17-6-2007

Listing files found while scanning....

No infected files were found.


Beginning removal...
Logged

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #3 on: June 17, 2007, 12:57:02 PM »
Here is the log from combofix:

ComboFix 07-06-17 - C:\Documents and Settings\Arjan\Bureaublad\ComboFix.exe
"Arjan" - 2007-06-17 19:32:58 - Service Pack 1  NTFS  


(((((((((((((((((((((((((   Files Created from 2007-05-17 to 2007-06-17  )))))))))))))))))))))))))))))))


2007-06-17 19:32   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-15 16:35   <DIR>   d--------   C:\HJT
2007-06-14 17:15   <DIR>   d--------   C:\VundoFix Backups
2007-06-13 23:05   83,024   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-06-13 23:05   626,688   --a------   C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-06-13 23:05   57,424   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-06-13 23:05   53,840   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-06-13 23:05   39,376   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-06-13 23:05   29,264   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-06-13 23:05   <DIR>   d--------   C:\Program Files\Spyware Doctor
2007-06-13 23:04   22,080   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-06-13 23:04   21,056   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-06-13 23:04   20,544   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0509.sys
2007-06-13 23:04   164   --a------   C:\install.dat
2007-06-13 23:04   144,960   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-06-13 23:04   <DIR>   d--------   C:\Program Files\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\Arjan\APPLIC~1\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-13 23:02   <DIR>   d--------   C:\Program Files\Lavasoft
2007-06-13 22:59   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-06-13 18:31   70,940   --a------   C:\WINDOWS\SYSTEM32\mon.exe
2007-06-13 18:31   211,944   --a------   C:\WINDOWS\SYSTEM32\doc.exe
2007-06-13 16:58   70,913   --a------   C:\DOCUME~1\Arjan\mon.exe
2007-06-13 16:58   211,944   --a------   C:\DOCUME~1\Arjan\doc.exe
2007-06-11 21:06   <DIR>   d--------   C:\WINDOWS\FLV Player
2007-06-11 21:06   <DIR>   d--------   C:\Program Files\FLV Player
2007-06-11 20:53   <DIR>   d--------   C:\Program Files\Super
2007-06-03 14:10   <DIR>   dr-h-----   C:\DOCUME~1\Arjan\Onlangs geopend
2007-05-31 23:59   <DIR>   d--------   C:\Program Files\Bordermaker26
2007-05-28 10:14   <DIR>   d--------   C:\Program Files\AH Fotoservice
2007-05-19 13:10   335   --a------   C:\WINDOWS\mozregistry.dat
2007-05-18 10:27   5,819,200   --a------   C:\Program Files\Firefox Setup 2.0.0.3.exe


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 14:10:23   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\CoreFTP
2007-06-17 13:26:38   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\OpenOffice.org2
2007-06-16 20:50:44   --------   d-----w   C:\Program Files\Trillian
2007-06-16 04:22:50   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\SiteAdvisor
2007-06-15 14:43:56   --------   d-----w   C:\Program Files\Hitman Pro
2007-06-14 20:00:14   --------   d-----w   C:\Program Files\OpenOffice.org1.1.0
2007-06-13 21:22:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Lavasoft
2007-06-13 14:58:40   --------   d-----w   C:\Program Files\MSN Messenger
2007-06-03 20:33:34   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\AdobeUM
2007-05-20 14:35:25   --------   d-----w   C:\Program Files\Hema Album Software Advanced
2007-05-18 12:24:01   --------   d-----w   C:\Program Files\Der teuflische Spiegel
2007-05-12 18:22:18   --------   d-----w   C:\Program Files\GenoPro
2007-05-03 10:05:56   --------   d-----w   C:\Program Files\GIMP-2.0
2007-04-26 18:25:20   --------   d-----w   C:\Program Files\Common Files\ST System Shared
2007-04-26 18:25:19   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-26 18:25:19   --------   d-----w   C:\Program Files\Samsung
2007-04-26 18:25:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Samsung
2007-04-26 16:42:50   --------   d-----w   C:\Program Files\Nikon
2007-04-22 13:38:57   247,866   ----a-w   C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6656.exe
2007-04-22 13:38:57   --------   d-----w   C:\Program Files\Alcohol Toolbar
2007-04-22 13:38:30   223,128   ----a-w   C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-21 20:57:20   --------   d-----w   C:\Program Files\kaspersky
2007-03-25 08:32:10   69,380   ----a-w   C:\WINDOWS\system32\PERFC013.DAT
2007-03-25 08:32:10   442,004   ----a-w   C:\WINDOWS\system32\PERFH013.DAT


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-04-22 15:38]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}=c:\program files\mcafee.com\mps\mcbrhlpr.dll [2005-10-28 10:30]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}=c:\program files\mcafee.com\mps\popupkiller.dll [2005-10-28 10:30]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}=c:\program files\mcafee\spamkiller\mcapfbho.dll [2005-11-09 15:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-07-25 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 15:08]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-11-18 14:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-11 07:00]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc   usnsvc


Contents of the 'Scheduled Tasks' folder
2007-06-12 14:05:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2005-03-06 19:11:59  C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 19:50:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-17 19:51:24

   --- E O F ---
Logged

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #4 on: June 17, 2007, 12:58:19 PM »
and the logfile from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 19:57:52, on 17-6-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe"
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo infection?
« Reply #5 on: June 17, 2007, 01:21:51 PM »
I would like to check those 2 files
1. Can you go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive
C:\WINDOWS\SYSTEM32\mon.exe<-this file

Right click on the file,  and choose Select>>or double click on it
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same thing with the next one too
C:\WINDOWS\SYSTEM32\doc.exe<-this file

In addition
2. If you have an older version of Smitfraudfix, delete it
Download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

3. Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

4. After you post the uninstall list
Can you do the following, navigate to hijackthis.exe
C:\HJT\HijackThis.exe>>Right click on HijackThis.exe and rename it to Analyse.exe
Then run a fresh scan and save logfile and post the new log please

If you could do the above 4 steps, then we will take it from there
« Last Edit: June 17, 2007, 01:42:16 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #6 on: June 17, 2007, 03:06:05 PM »
Results from Virusjotti reg the doc.exe file:

 Scan taken on 17 Jun 2007 20:04:41 (GMT)
A-Squared    Found nothing
AntiVir    Found nothing
ArcaVir    Found nothing
Avast    Found nothing
AVG Antivirus    Found nothing
BitDefender    Found nothing
ClamAV    Found nothing
Dr.Web    Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus    Found nothing
Fortinet    Found nothing
Kaspersky Anti-Virus    Found nothing
NOD32    Found nothing
Norman Virus Control    Found nothing
Panda Antivirus    Found nothing
Rising Antivirus    Found nothing
VirusBuster    Found nothing
VBA32    Found nothing
« Last Edit: June 17, 2007, 03:15:13 PM by rosedaniels »
Logged

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #7 on: June 17, 2007, 03:12:52 PM »
And Virusscan.jotti reported the follwoing about the mon.exe file:


 File:      mon.exe
Status:    
INFECTED/MALWARE
MD5:    b5a8659b4a8e612dbab619a072e25a52
Packers detected:    
PE_PATCH.PECOMPACT, PE_PATCH.UPOLYX, PE_PATCH.UPX, UPX
Bit9 reports:    File not found

 Scan taken on 17 Jun 2007 20:08:29 (GMT)
A-Squared    Found nothing
AntiVir    Found nothing
ArcaVir    Found nothing
Avast    Found nothing
AVG Antivirus    Found nothing
BitDefender    Found Trojan.Vundo.DMA, Trojan.Downloader.Agent.YEG
ClamAV    Found nothing
Dr.Web    Found Trojan.Virtumod, Trojan.DownLoader.24028
F-Prot Antivirus Found nothing
F-Secure Anti-Virus    Found not-a-virus:AdWare.Win32.Virtumonde.jp (4, 1, 400), Trojan-Downloader.Win32.Agent.brf
Fortinet    Found W32/Agent.BRF!tr.dldr
Kaspersky Anti-Virus    Found not-a-virus:AdWare.Win32.Virtumonde.jp, Trojan-Downloader.Win32.Agent.brf
NOD32    Found Win32/Adware.Virtumonde application, Win32/TrojanDownloader.Agent.NOJ
Norman Virus Control    Found nothing
Panda Antivirus    Found nothing
Rising Antivirus    Found nothing
VirusBuster    Found nothing
VBA32    Found AdWare.Win32.Virtumonde.if, Trojan-Downloader.Win32.Agent.brf
« Last Edit: June 17, 2007, 03:14:46 PM by rosedaniels »
Logged

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #8 on: June 17, 2007, 03:20:45 PM »
And here are the final results of Virustotal of the mon.exe file:

Complete scanning result of "mon.exe", received in VirusTotal at 06.17.2007, 22:04:04 (CET).

Antivirus   Version   Update   Result
AhnLab-V3   2007.6.16.0   06.15.2007   no virus found
AntiVir   7.4.0.32   06.16.2007   no virus found
Authentium   4.93.8   06.16.2007   no virus found
Avast   4.7.997.0   06.16.2007   no virus found
AVG   7.5.0.467   06.17.2007   no virus found
BitDefender   7.2   06.17.2007   Trojan.Vundo.DMA
CAT-QuickHeal   9.00   06.16.2007   no virus found
ClamAV   devel-20070416   06.17.2007   no virus found
DrWeb   4.33   06.17.2007   Trojan.Virtumod
eSafe   7.0.15.0   06.17.2007   Win32.Agent.brf
eTrust-Vet   30.7.3721   06.15.2007   no virus found
Ewido   4.0   06.17.2007   no virus found
FileAdvisor   1   06.17.2007   no virus found
Fortinet   2.85.0.0   06.17.2007   W32/Agent.BRF!tr.dldr
F-Prot   4.3.2.48   06.15.2007   no virus found
F-Secure   6.70.13030.0   06.15.2007   Trojan-Downloader.Win32.Agent.brf
Ikarus   T3.1.1.8   06.17.2007   no virus found
Kaspersky   4.0.2.24   06.17.2007   not-a-virus:AdWare.Win32.Virtumonde.jp
McAfee   5054   06.15.2007   no virus found
Microsoft   1.2607   06.17.2007   no virus found
NOD32v2   2334   06.15.2007   Win32/Adware.Virtumonde
Norman   5.80.02   06.15.2007   W32/Virtumonde.GWT.dropper
Panda   9.0.0.4   06.17.2007   Spyware/Virtumonde
Prevx1   V2   06.17.2007   no virus found
Sophos   4.18.0   06.12.2007   no virus found
Sunbelt   2.2.907.0   06.16.2007   no virus found
Symantec   10   06.17.2007   no virus found
TheHacker   6.1.6.133   06.15.2007   no virus found
VBA32   3.12.0.2   06.15.2007   AdWare.Win32.Virtumonde.if
VirusBuster   4.3.23:9   06.17.2007   no virus found
Webwasher-Gateway   6.0.1   06.17.2007   no virus found

Aditional Information
File size: 70940 bytes
MD5: b5a8659b4a8e612dbab619a072e25a52
SHA1: 9a191b21764912aab66a2c8e9ee39e0486b01384
packers: BINARYRES
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [email protected] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Creating several executable files on hard-drive.
* File length: 70940 bytes.

[ Changes to filesystem ]
* Creates directory C:WINDOWSTEMP.
* Creates file C:WINDOWSTEMP sx8999.tmp.
* Deletes file C:WINDOWSTEMP sx8999.tmp.
* Creates file C:WINDOWSTEMP irst.exe.
* Creates file C:WINDOWSTEMPsecond.exe.
* Creates file C:WINDOWSTEMP sz0099.tmp.
* Deletes file C:WINDOWSTEMP sz0099.tmp.
* Creates directory C:WINDOWS.
* Creates directory C:WINDOWSTEMP sz0099.tmp.
* Creates file C:WINDOWSTEMP sz0099.tmp sExec.dll.
* Creates file C:WINDOWSTEMP sz0099.tmp s0889.tmp.
* Deletes file C:WINDOWSTEMP sz0099.tmp s0889.tmp.
* Deletes file C:WINDOWSTEMP sz0099.tmpNSEXEC.DLL.
* Deletes directory C:WINDOWSTEMP sz0099.tmp.

[ Signature Scanning ]
* C:WINDOWSTEMP irst.exe (38925 bytes) : W32/Virtumonde.GWT.
Logged

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #9 on: June 17, 2007, 03:23:49 PM »
Step 2: the SmitFraudFix report:

SmitFraudFix v2.195

Scan done at 21:51:46,59, zo 17-06-2007
Run from C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\HPZipm12.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\CSCRIPT.EXE

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Arjan


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Arjan\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Arjan\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler\'s .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/100 VE Network Connection - Pakketplanner-minipoort
DNS Server Search Order: 10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D8AEF199-7042-406F-BEE3-717B4834FDD8}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D8AEF199-7042-406F-BEE3-717B4834FDD8}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D8AEF199-7042-406F-BEE3-717B4834FDD8}: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Step 3: the uninstall list from HJT:

3D Interior Designer 2
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.9 - Nederlands
Adobe Shockwave Player
Age of Empires III Trial
Age of Mythology
AH Fotoservice
Ahead InCD EasyWrite Reader
Ahead Nero Burning ROM
Ahead NeroMediaPlayer
Ahead NeroVision Express
Alcohol Toolbar
Apple Software Update
ArcSoft Panorama Maker 3.0
Asterix
Asterix Maffe Meerkamp
Barbie Cool Looks Designer
Battle Master 2.0
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows XP (KB904706)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899589)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901190)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905495)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913580)
Beveiligingsupdate voor Windows XP (KB914388)
Beveiligingsupdate voor Windows XP (KB914389)
Beveiligingsupdate voor Windows XP (KB917344)
Beveiligingsupdate voor Windows XP (KB917422)
Beveiligingsupdate voor Windows XP (KB917953)
Beveiligingsupdate voor Windows XP (KB919007)
Beveiligingsupdate voor Windows XP (KB920670)
Beveiligingsupdate voor Windows XP (KB920683)
Beveiligingsupdate voor Windows XP (KB920685)
Beveiligingsupdate voor Windows XP (KB921398)
Beveiligingsupdate voor Windows XP (KB921883)
Beveiligingsupdate voor Windows XP (KB922616)
Beveiligingsupdate voor Windows XP (KB922819)
Beveiligingsupdate voor Windows XP (KB923191)
Beveiligingsupdate voor Windows XP (KB923414)
Beveiligingsupdate voor Windows XP (KB924191)
Beveiligingsupdate voor Windows XP (KB924496)
Bugs Bunny - Reis door de Tijd
Bugs Bunny & Taz - Op avontuur door de tijd
Buzz Lightyear of Star Command
Castle Strike Demo
Celestia 1.3.2
cladDVD .NET v3.5.6
Classic PhoneTools
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
Cool Edit 96
Core FTP LE 1.3c
CoverPrint 0.6.0 English
CoverPro
coverXP (remove only)
DAO
dBpowerAMP Music Converter
De Kolonisten van Catan
De Sims 2
De Sims™ 2 Familiepret – Accessoires
Declick 2000
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Der teuflische Spiegel
Desktop Guitarist Shareware
Digimax Master
Digimax RAW Converter
Digital Line Detect
Dino Island
Disney’s SpellenSpektakel
DivX
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab (remove only)
DVDSentry
Easy CD Creator 5 Basic
Easy Wonen 1
EasyPeg 1
Eigen Homepage LITE
Empire Earth
ET The Extra-Terrestrial Interplanetary Mission
Finale NotePad 2004
FLAC Installer 1.1.2a (remove only)
Flight Unlimited II
FLV Player
Gaim (alleen verwijderen)
GenoPro
Google Earth
Google Toolbar for Internet Explorer
GrabIt 1.6.2 Beta (build 940)
Hema Album Software Advanced
Henzo Imager
HijackThis 1.99.1
Hitman Pro
Hotfix for MDAC 2.80 (KB911562)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
Image Analyzer
Indeo® Software
Intel® PRO Network Adapters and Drivers
Intel® PROSet
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
JannieBall
JBCD
KaM - The Peasants Rebellion
Knight Rider
KnightsAndMerchants
LEGO Chess
LEGO Creator Knights Kingdom
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Lp2Cd
Mah Jongg III
McAfee SecurityCenter
McAfee Wizard Installatie ongedaan maken
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft Visio Professional 2002 [English]
Microsoft Works 7.0
Modem Helper
Monsters en Co. Schrik Eiland
Moto Racer
Mozilla Firefox (2.0.0.4)
MP3\'s Utilities 1.6.38
MSXML4 Parser
Namo WebEditor 3.0
NetObjects Fusion 7.5
NetWaiting
Nikon FotoShare
Nikon View 6
Nokia 3200 USB-Handset Manager
NVIDIA Drivers
OpenOffice.org 2.0
PC Cleaner 2.0
Peter Jackson\'s King Kong - The Official Game of the Movie
Picasa 2
Pirates of the Caribbean
PowerDVD
PrintMaster 7.00
QuickPar 0.9
QuickTime
RealPlayer
Redcat Brutale Bankroof
RedCat Spookkasteel
Roll
RS2
Secret Weapons Over Normandy
Serif PhotoPlus 5.5
Serif WebPlus 6.0
Serif WebPlus 6.0 Wizard Pack
SimCity 2000® Special Edition
SimSafari
Skype 1.3
Sony Sound Forge 7.0
Sound Blaster Live!
SPIDI
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
SpywareBlaster v3.5.1
Stronghold
Syberia 2 Demo
The General 3.4
The Sims Abracadabra
TopStyle Lite (Version 2)
TorrenTopia Client
Total Commander (Remove or Repair)
Trillian
Update voor Windows XP (KB835409)
Update voor Windows XP (KB898461)
Update voor Windows XP (KB908531)
Update voor Windows XP (KB910437)
Update voor Windows XP (KB911280)
Uru - Ages Beyond Myst
Uru - Ages Beyond Myst Demo
Vakantieboek
VibrateGameDeviceDriver
WAV to MP3 Encoder
Wave Repair 4.8.5
WavePurity
Winamp (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinRAR
WinZip
Zoner Draw 3
Logged

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #10 on: June 17, 2007, 03:26:10 PM »
And last step 4, an fresh scan of Analyse.exe (renamed from HiJackThis.exe):

Logfile of HijackThis v1.99.1
Scan saved at 22:24:38, on 17-6-2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\HJT\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.planet.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/nl/nld/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTBatteryMeter] "C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe"
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\SYSTEM32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeperhe\SpySweeper.exe






---------------------------------------------------
PS al lot of data, good luck analysing all this
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo infection?
« Reply #11 on: June 17, 2007, 09:07:11 PM »
Can you do the following please

[color=\"blue\"]Your Java Runtime Environment is out of date.[/color] Older versions have vulnerabilities that malware can use to infect your system.
  • Download the latest version of  Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement[/i]".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  and save it to your desktop (12.56 MB).
DON'T install it yet

Access your Add/remove programs
Click the Remove or Change/Remove button.
on the following
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6

Don't install the new version yet


Open notepad and copy/paste the text in the quotebox below into it:
Don't include the word 'quote' please

Quote
File::
C:\WINDOWS\SYSTEM32\mon.exe
C:\WINDOWS\SYSTEM32\doc.exe
C:\DOCUME~1\Arjan\mon.exe
C:\DOCUME~1\Arjan\doc.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=-


Save this as ComboFix-Do.txt to your desktop

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt
If no reboot was necessary, can you reboot anyways then go ahead and install the latest version of Sun Java

Post the new log from Combofix

NOTE: I see entries related to Norton's (Symantec's)
Do you still have anything from Norton's relying on the Live updater installed?

Can I also have you do the following
Download: CCleaner (freeware)
http://www.filehippo.com/download_ccleaner/
Run the installer, and uncheck the option to install Yahoo toolbar when and if you are prompted
Once installed, run CCleaner
Next: click Options click the Advanced button
Uncheck: "Only delete files in Windows temp folders older than 48 hrs."
NEXT: Click the Cleaner
Then click Run Cleaner (bottom right)
OK the prompt, let it finish

Once finished can you also do the following, I want to check for other Norton products
Click the TOOLS button then click the Save to text file.. button on the right hand side

Save install.txt to your desktop then can you copy>>paste back here it's contents also along with the new combofix.txt
« Last Edit: June 17, 2007, 09:09:29 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #12 on: June 18, 2007, 12:33:18 PM »
Hi there,
I'll post your question in order:

1. New log from ComboFix:
2. Info about Nortons Live Updater
3. Install.txt from CCleaner

1. New log from Combofix:
ComboFix 07-06-17 - C:\Documents and Settings\Arjan\Bureaublad\ComboFix.exe
"Arjan" - 2007-06-18 18:52:41 - Service Pack 1  NTFS  
Command switches used :: C:\Documents and Settings\Arjan\Bureaublad\ComboFix-Do.txt


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Arjan\doc.exe
C:\DOCUME~1\Arjan\mon.exe
C:\WINDOWS\SYSTEM32\doc.exe
C:\WINDOWS\SYSTEM32\mon.exe


(((((((((((((((((((((((((   Files Created from 2007-05-18 to 2007-06-18  )))))))))))))))))))))))))))))))


2007-06-17 21:51   3,222   --a------   C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-17 19:32   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-15 16:35   <DIR>   d--------   C:\HJT
2007-06-14 17:15   <DIR>   d--------   C:\VundoFix Backups
2007-06-13 23:05   83,024   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-06-13 23:05   626,688   --a------   C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-06-13 23:05   57,424   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-06-13 23:05   53,840   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-06-13 23:05   39,376   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-06-13 23:05   29,264   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-06-13 23:05   <DIR>   d--------   C:\Program Files\Spyware Doctor
2007-06-13 23:04   22,080   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-06-13 23:04   21,056   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-06-13 23:04   20,544   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0509.sys
2007-06-13 23:04   164   --a------   C:\install.dat
2007-06-13 23:04   144,960   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-06-13 23:04   <DIR>   d--------   C:\Program Files\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\Arjan\APPLIC~1\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-13 23:02   <DIR>   d--------   C:\Program Files\Lavasoft
2007-06-13 22:59   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-06-11 21:06   <DIR>   d--------   C:\WINDOWS\FLV Player
2007-06-11 21:06   <DIR>   d--------   C:\Program Files\FLV Player
2007-06-11 20:53   <DIR>   d--------   C:\Program Files\Super
2007-06-03 14:10   <DIR>   dr-h-----   C:\DOCUME~1\Arjan\Onlangs geopend
2007-05-31 23:59   <DIR>   d--------   C:\Program Files\Bordermaker26
2007-05-28 10:14   <DIR>   d--------   C:\Program Files\AH Fotoservice
2007-05-19 13:10   335   --a------   C:\WINDOWS\mozregistry.dat
2007-05-18 10:27   5,819,200   --a------   C:\Program Files\Firefox Setup 2.0.0.3.exe


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 10:50:12   69,380   ----a-w   C:\WINDOWS\system32\PERFC013.DAT
2007-06-18 10:50:12   442,004   ----a-w   C:\WINDOWS\system32\PERFH013.DAT
2007-06-17 19:19:22   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\OpenOffice.org2
2007-06-17 19:09:31   --------   d-----w   C:\Program Files\OpenOffice.org1.1.0
2007-06-17 14:10:23   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\CoreFTP
2007-06-16 20:50:44   --------   d-----w   C:\Program Files\Trillian
2007-06-16 04:22:50   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\SiteAdvisor
2007-06-15 14:43:56   --------   d-----w   C:\Program Files\Hitman Pro
2007-06-13 21:22:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Lavasoft
2007-06-13 14:58:40   --------   d-----w   C:\Program Files\MSN Messenger
2007-06-03 20:33:34   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\AdobeUM
2007-05-20 14:35:25   --------   d-----w   C:\Program Files\Hema Album Software Advanced
2007-05-18 12:24:01   --------   d-----w   C:\Program Files\Der teuflische Spiegel
2007-05-12 18:22:18   --------   d-----w   C:\Program Files\GenoPro
2007-05-03 10:05:56   --------   d-----w   C:\Program Files\GIMP-2.0
2007-04-26 18:25:20   --------   d-----w   C:\Program Files\Common Files\ST System Shared
2007-04-26 18:25:19   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-26 18:25:19   --------   d-----w   C:\Program Files\Samsung
2007-04-26 18:25:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Samsung
2007-04-26 16:42:50   --------   d-----w   C:\Program Files\Nikon
2007-04-22 13:38:57   247,866   ----a-w   C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6656.exe
2007-04-22 13:38:57   --------   d-----w   C:\Program Files\Alcohol Toolbar
2007-04-22 13:38:30   223,128   ----a-w   C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-21 20:57:20   --------   d-----w   C:\Program Files\kaspersky


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-04-22 15:38]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}=c:\program files\mcafee.com\mps\mcbrhlpr.dll [2005-10-28 10:30]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}=c:\program files\mcafee.com\mps\popupkiller.dll [2005-10-28 10:30]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}=c:\program files\mcafee\spamkiller\mcapfbho.dll [2005-11-09 15:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-07-25 12:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 15:08]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-11-18 14:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-11 07:00]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc   usnsvc


Contents of the 'Scheduled Tasks' folder
2007-06-12 14:05:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2005-03-06 19:11:59  C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 19:06:08
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-18 19:07:13
C:\ComboFix-quarantined-files.txt ... 2007-06-18 19:06
C:\ComboFix2.txt ... 2007-06-17 19:51

   --- E O F ---

2. Info about Nortons Live Udater:


I found the following in "Configurations" (I am translating from dutch  windows to english):

Symantec LiveUpdate
- General
   - Interactive Mode
- FTP
   - Use FTP settings for Internet options
- HTTP
   - HTTP settings for internet options
- ISP
   - Internet options in Configuration screen



3. Install.txt from CCleaner
1310Tour
1310Trb
1310_Help
1310
3D Interior Designer 2
ABC (remove only)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.9 - Nederlands
Adobe Shockwave Player
Adobe® Photoshop® Elements 3.0
Age of Empires III Trial
Age of Mythology
AH Fotoservice
Ahead InCD EasyWrite Reader
Ahead Nero Burning ROM
Ahead NeroMediaPlayer
Ahead NeroVision Express
AiOSoftware
AiO_Scan
Alcohol Toolbar
Apple Software Update
ArcSoft Panorama Maker 3.0
Asterix Maffe Meerkamp
Asterix
AutoUpdate
Barbie Cool Looks Designer
Battle Master 2.0
Beveiligingsupdate for Windows Media Player 10 (KB917734)
Beveiligingsupdate for Windows XP (KB904706)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899589)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901190)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905495)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913580)
Beveiligingsupdate voor Windows XP (KB914388)
Beveiligingsupdate voor Windows XP (KB914389)
Beveiligingsupdate voor Windows XP (KB914798)
Beveiligingsupdate voor Windows XP (KB917344)
Beveiligingsupdate voor Windows XP (KB917422)
Beveiligingsupdate voor Windows XP (KB917953)
Beveiligingsupdate voor Windows XP (KB919007)
Beveiligingsupdate voor Windows XP (KB920670)
Beveiligingsupdate voor Windows XP (KB920683)
Beveiligingsupdate voor Windows XP (KB920685)
Beveiligingsupdate voor Windows XP (KB921398)
Beveiligingsupdate voor Windows XP (KB921883)
Beveiligingsupdate voor Windows XP (KB922616)
Beveiligingsupdate voor Windows XP (KB922819)
Beveiligingsupdate voor Windows XP (KB923191)
Beveiligingsupdate voor Windows XP (KB923414)
Beveiligingsupdate voor Windows XP (KB924191)
Beveiligingsupdate voor Windows XP (KB924496)
BufferChm
Bugs Bunny & Taz - Op avontuur door de tijd
Bugs Bunny - Reis door de Tijd
Buzz Lightyear of Star Command
Castle Strike Demo
CCleaner (remove only)
Celestia 1.3.2
cladDVD .NET v3.5.6
Classic PhoneTools
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
Cool Edit 96
Copy
Core FTP LE 1.3c
CoverPrint 0.6.0 English
CoverPro
coverXP (remove only)
CreativeProjectsTemplates
CreativeProjects
CueTour
DAO
dBpowerAMP Music Converter
De Kolonisten van Catan
De Sims 2
De Sims™ 2 Familiepret – Accessoires
Declick 2000
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Der teuflische Spiegel
Desktop Guitarist Shareware
Destinations
Digimax Master
Digimax RAW Converter
Digital Line Detect
Dino Island
Director
Disney’s SpellenSpektakel
DivX Player
DivX Web Player
DivX
DocProc
DocumentViewer
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab (remove only)
DVDSentry
Easy CD Creator 5 Basic
Easy Wonen 1
EasyPeg 1
Eigen Homepage LITE
Empire Earth
ET The Extra-Terrestrial Interplanetary Mission
Fax
Finale NotePad 2004
FLAC Installer 1.1.2a (remove only)
Flight Unlimited II
FLV Player
Gaim (alleen verwijderen)
GenoPro
Google Earth
Google Toolbar for Internet Explorer
GrabIt 1.6.2 Beta (build 940)
Help and Support Customization
Hema Album Software Advanced
Henzo Imager
HijackThis 1.99.1
Hitman Pro
Hotfix for MDAC 2.80 (KB911562)
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HPSystemDiagnostics
Image Analyzer
Indeo® Software
InstantShare
Intel® PRO Network Adapters and Drivers
Intel® PROSet
iTunes
JannieBall
JBCD
KaM - The Peasants Rebellion
Knight Rider
KnightsAndMerchants
LEGO Chess
LEGO Creator Knights Kingdom
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Lp2Cd
Mah Jongg III
McAfee SecurityCenter
McAfee Wizard Installatie ongedaan maken
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft .NET Framework 1.1
Microsoft Visio Professional 2002 [English]
Microsoft Works 7.0
Modem Helper
Monsters en Co. Schrik Eiland
Moto Racer
Mozilla Firefox (2.0.0.4)
MP3's Utilities 1.6.38
MSXML4 Parser
MUSICMATCH® Jukebox
Namo WebEditor 3.0
NetObjects Fusion 7.5
NetWaiting
Nikon FotoShare
Nikon View 6
Nokia 3200 USB-Handset Manager
NVIDIA Drivers
OpenOffice.org 1.1.0
OpenOffice.org 2.0
Overland
PC Cleaner 2.0
Peter Jackson's King Kong - The Official Game of the Movie
PhotoGallery
Picasa 2
Pirates of the Caribbean
PowerDVD
PrintMaster 7.00
PrintScreen
ProductContext
QFolder
QuickPar 0.9
QuickProjects
QuickTime
Readme
RealPlayer
Redcat Brutale Bankroof
RedCat Spookkasteel
Rol
RS2
Scan
Secret Weapons Over Normandy
Serif PhotoPlus 5.5
Serif WebPlus 6.0 Wizard Pack
Serif WebPlus 6.0
SimCity 2000® Special Edition
SimSafari
SkinsHP1
Skype 1.3
Sony Sound Forge 7.0
Sound Blaster Live!
SPIDI
Spy Sweeper
Spybot - Search & Destroy 1.4
Spyware Doctor 5.0
SpywareBlaster v3.5.1
Stronghold
Syberia 2 Demo
The General 3.4
The Sims Abracadabra
TopStyle Lite (Version 2)
TorrenTopia Client
Total Commander (Remove or Repair)
TrayApp
Trillian
Unload
Update voor Windows XP (KB835409)
Update voor Windows XP (KB898461)
Update voor Windows XP (KB908531)
Update voor Windows XP (KB910437)
Update voor Windows XP (KB911280)
Uru - Ages Beyond Myst Demo
Uru - Ages Beyond Myst
Vakantieboek
VibrateGameDeviceDriver
WAV to MP3 Encoder
Wave Repair 4.8.5
WavePurity
WebFldrs XP
WebReg
Winamp (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinRAR
WinZip
Zoner Draw 3
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo infection?
« Reply #13 on: June 18, 2007, 02:13:17 PM »
It appears that Livereg and liveupdate are leftovers from Symantec's software you don't have installed anymore
I was just checking for another Norton entry from the install list, but it wasn't found

You can access your add/remove programs and remove
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)

Reboot the computer after both are removed, don't worry about prompts if it mentions it's software is still installed

Back in Windows
Can you go to START>>All programs>>Accessories>>System tools>>Scheduled tasks
Does Symantec NetDetect still remain?

Also, can you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as Export.bat

Save this file on the desktop

 
Code: [Select]
regedit /e Export.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer"
Double click on Export.bat>>a text file should appear on desktop called Export.txt
Can you copy>>paste back here the contents please

How is everything running now?
« Last Edit: June 18, 2007, 02:17:23 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #14 on: June 18, 2007, 03:01:43 PM »
Hi questolo,

I removed LiveReg and LiveUpdate 1.80 and checked it in scheduled tasks. There was no symantec netdetect anymore.

The I typed in your CODE in Notepad and followed your instructions. The result was an enormous textfile with huge amounts of hexadecimal codes, etc.
At that point I doubted if I followed your instructions correctly, so I decided tot do it again but then copying your text into Notepad. I followed your instructions again with the result of this textfile:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

Is this what you expected. This result in relation to the extreme first results make me unsure at this point if i didn;t do something wrong?

I still have the first export.txt file. If you want it I can maybe mail it to you? As it is about 89 MB large !! So posting it here is maybe not wise?

To your question how everything is running, I cannot give you a good answer as we did NOT use Windows Live Messenger since I contacted you. And I am not sure to use it again until this problem has been solved. The two files mon.exe and doc.exe are still on my desktop. Do you want me to remove them, and try Windows Live Messenger again and see what happens?


PS, couldn't resist, so I tried WLM and .... it's still there. I removed mon and doc and started WLM  and McAfee reported it removed Downloader-BCF. After WLM had started up the mouse was blocked while WLM was busy trying to log in (or omething). So I had to stop the computer manually (press the startbutton for 8 secs)
« Last Edit: June 18, 2007, 04:28:42 PM by rosedaniels »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo infection?
« Reply #15 on: June 18, 2007, 04:28:58 PM »
Export.txt looks ok, you can delete it and Export.bat

Yes, go ahead and delete mon.exe and doc.exe from desktop

Let see how things are with Live messenger
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #16 on: June 18, 2007, 04:30:05 PM »
Our messages 'crossed':

PS, couldn't resist, so I tried WLM and .... it's still there. I removed mon and doc and started WLM and McAfee reported it removed Downloader-BCF. After WLM had started up the mouse was blocked while WLM was busy trying to log in (or omething). So I had to stop the computer manually (press the startbutton for 8 secs)
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo infection?
« Reply #17 on: June 18, 2007, 04:32:23 PM »
Can you run Combofix again and post it's new log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline rosedaniels

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Vundo infection?
« Reply #18 on: June 18, 2007, 05:09:43 PM »
Took a while, but here it is:

ComboFix 07-06-17 - C:\Documents and Settings\Arjan\Bureaublad\ComboFix.exe
"Arjan" - 2007-06-18 23:52:13 - Service Pack 1  NTFS  
Command switches used :: C:\Documents and Settings\Arjan\Bureaublad\ComboFix-Do.txt


(((((((((((((((((((((((((   Files Created from 2007-05-18 to 2007-06-18  )))))))))))))))))))))))))))))))


2007-06-18 19:18   <DIR>   dr-h-----   C:\DOCUME~1\Arjan\Onlangs geopend
2007-06-18 19:16   <DIR>   d--------   C:\Program Files\CCleaner
2007-06-17 21:51   3,222   --a------   C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-17 19:32   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-15 16:35   <DIR>   d--------   C:\HJT
2007-06-14 17:15   <DIR>   d--------   C:\VundoFix Backups
2007-06-13 23:05   83,024   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksyssec.sys
2007-06-13 23:05   626,688   --a------   C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-06-13 23:05   57,424   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\iksysflt.sys
2007-06-13 23:05   53,840   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfilesec.sys
2007-06-13 23:05   39,376   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ikfileflt.sys
2007-06-13 23:05   29,264   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\kcom.sys
2007-06-13 23:05   <DIR>   d--------   C:\Program Files\Spyware Doctor
2007-06-13 23:04   22,080   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys
2007-06-13 23:04   21,056   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys
2007-06-13 23:04   20,544   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0509.sys
2007-06-13 23:04   164   --a------   C:\install.dat
2007-06-13 23:04   144,960   --a------   C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys
2007-06-13 23:04   <DIR>   d--------   C:\Program Files\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\Arjan\APPLIC~1\Webroot
2007-06-13 23:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-13 23:02   <DIR>   d--------   C:\Program Files\Lavasoft
2007-06-13 22:59   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-06-11 21:06   <DIR>   d--------   C:\WINDOWS\FLV Player
2007-06-11 21:06   <DIR>   d--------   C:\Program Files\FLV Player
2007-06-11 20:53   <DIR>   d--------   C:\Program Files\Super
2007-05-31 23:59   <DIR>   d--------   C:\Program Files\Bordermaker26
2007-05-28 10:14   <DIR>   d--------   C:\Program Files\AH Fotoservice
2007-05-19 13:10   335   --a------   C:\WINDOWS\mozregistry.dat


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 19:38:39   --------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-06-18 10:50:12   69,380   ----a-w   C:\WINDOWS\system32\PERFC013.DAT
2007-06-18 10:50:12   442,004   ----a-w   C:\WINDOWS\system32\PERFH013.DAT
2007-06-17 19:19:22   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\OpenOffice.org2
2007-06-17 19:09:31   --------   d-----w   C:\Program Files\OpenOffice.org1.1.0
2007-06-17 14:10:23   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\CoreFTP
2007-06-16 20:50:44   --------   d-----w   C:\Program Files\Trillian
2007-06-16 04:22:50   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\SiteAdvisor
2007-06-15 14:43:56   --------   d-----w   C:\Program Files\Hitman Pro
2007-06-13 21:22:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Lavasoft
2007-06-13 14:58:40   --------   d-----w   C:\Program Files\MSN Messenger
2007-06-03 20:33:34   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\AdobeUM
2007-05-20 14:35:25   --------   d-----w   C:\Program Files\Hema Album Software Advanced
2007-05-18 12:24:01   --------   d-----w   C:\Program Files\Der teuflische Spiegel
2007-05-18 08:28:27   5,819,200   ----a-w   C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-05-12 18:22:18   --------   d-----w   C:\Program Files\GenoPro
2007-05-03 10:05:56   --------   d-----w   C:\Program Files\GIMP-2.0
2007-04-26 18:25:20   --------   d-----w   C:\Program Files\Common Files\ST System Shared
2007-04-26 18:25:19   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-26 18:25:19   --------   d-----w   C:\Program Files\Samsung
2007-04-26 18:25:19   --------   d-----w   C:\DOCUME~1\Arjan\APPLIC~1\Samsung
2007-04-26 16:42:50   --------   d-----w   C:\Program Files\Nikon
2007-04-22 13:38:57   247,866   ----a-w   C:\WINDOWS\Alcohol_Toolbar_Uninstaller_6656.exe
2007-04-22 13:38:57   --------   d-----w   C:\Program Files\Alcohol Toolbar
2007-04-22 13:38:30   223,128   ----a-w   C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-04-21 20:57:20   --------   d-----w   C:\Program Files\kaspersky


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\6066\SiteAdv.dll [2007-03-30 17:41]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-04-22 15:38]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}=c:\program files\mcafee.com\mps\mcbrhlpr.dll [2005-10-28 10:30]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}=c:\program files\mcafee.com\mps\popupkiller.dll [2005-10-28 10:30]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}=c:\program files\mcafee\spamkiller\mcapfbho.dll [2005-11-09 15:08]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 03:01]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 14:28]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-07-25 12:52]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-03 19:21]
"RTBatteryMeter"="C:\Program Files\VibrateGameDeviceDriver\RFPIcon.exe" [2003-01-16 11:32]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" [2006-03-30 14:31]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 15:08]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 16:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2006-11-18 14:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-11 07:00]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 17:18]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc   usnsvc


Contents of the 'Scheduled Tasks' folder
2007-06-12 14:05:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 00:05:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-19  0:06:34
C:\ComboFix-quarantined-files.txt ... 2007-06-19 00:06
C:\ComboFix2.txt ... 2007-06-18 19:07
C:\ComboFix3.txt ... 2007-06-17 19:51

   --- E O F ---
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Vundo infection?
« Reply #19 on: June 18, 2007, 05:51:37 PM »
It's not showing now in the log

Just for a double check
Can you do the following
From my signature below,
Use INTERNET EXPLORER
Run an online virus scan at Kaspersky's
At the link click Run Online Scanner
Accept the prompt at the Welcome screen
You will be promted to install an ActiveX component from Kaspersky, Click Yes.

   
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
       
  • Now click on Scan Settings
       
  • In the scan settings make sure that the following are selected:

         ***Scan using the following Anti-Virus database:
            Extended (if available otherwise Standard)
         ***Scan Options:
            Scan Archives
            Scan Mail Bases
   
  • Click OK
       
  • Now under select a target to scan:

            Select My Computer
   
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

        ***Now click on the Save as Text button:
   
  • Save the file to your desktop.
   * Copy and paste that information in your next post

Could you also do the following
supply a host file list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open Hosts File Manager
Click the "Open in Notepad" button
copy>>Paste back here the Whole contents
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1] 2
« previous next »