Vundo infection?

[rosedaniels]

Here's the report from Kaspersky:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Tuesday, June 19, 2007 10:43:00 AM
 Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update: 19/06/2007
 Kaspersky Anti-Virus database records: 348710
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\

Scan Statistics:
   Total number of scanned objects: 162097
   Number of viruses found: 4
   Number of infected objects: 15 / 0
   Number of suspicious objects: 0
   Duration of the scan process: 02:29:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\tempIpRules.xdb   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{FB019C0B-337E-4CDE-9E21-C90B2961C753}.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log   Object is locked   skipped
C:\Documents and Settings\Arjan\Application Data\SiteAdvisor\SiteAdv.csh   Object is locked   skipped
C:\Documents and Settings\Arjan\Bureaublad\mon.exe/data0003   Infected: Trojan-Downloader.Win32.Agent.brf   skipped
C:\Documents and Settings\Arjan\Bureaublad\mon.exe   NSIS: infected - 1   skipped
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix.zip/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix.zip   ZIP: infected - 1   skipped
C:\Documents and Settings\Arjan\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Geschiedenis\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Temp\hpodvd09.log   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Temp\~DF92B7.tmp   Object is locked   skipped
C:\Documents and Settings\Arjan\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Arjan\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\Arjan\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\INDEX.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log   Object is locked   skipped
C:\Program Files\MSN Messenger\msnmsgr.exe   Infected: Trojan-Downloader.Win32.Agent.btu   skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters\masters.bak   Object is locked   skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters\Masters.const   Object is locked   skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters\masters.mst   Object is locked   skipped
C:\Program Files\Webroot\Spy Sweeperhe\Masters.base   Object is locked   skipped
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir/data0002   Infected: not-a-virus:AdWare.Win32.Virtumonde.jp   skipped
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir/data0003   Infected: Trojan-Downloader.Win32.Agent.brf   skipped
C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir   NSIS: infected - 2   skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mon.exe.vir/data0002   Infected: not-a-virus:AdWare.Win32.Virtumonde.jp   skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mon.exe.vir/data0003   Infected: Trojan-Downloader.Win32.Agent.brf   skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mon.exe.vir   NSIS: infected - 2   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\Sti_Trace.log   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Geschiedenis\History.IE5\INDEX.DAT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys   Object is locked   skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd5437.sys   Object is locked   skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT   Object is locked   skipped
C:\WINDOWS\SYSTEM32\mclsphlr\mon.exe/data0002   Infected: not-a-virus:AdWare.Win32.Virtumonde.jp   skipped
C:\WINDOWS\SYSTEM32\mclsphlr\mon.exe/data0003   Infected: Trojan-Downloader.Win32.Agent.brf   skipped
C:\WINDOWS\SYSTEM32\mclsphlr\mon.exe   NSIS: infected - 2   skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\Temp\mcafee_LCGB9RufIeg9bfk   Object is locked   skipped
C:\WINDOWS\Temp\mcafee_ZHuMlfaJF0gwadD   Object is locked   skipped
C:\WINDOWS\Temp\mcmsc_5sXQyVnBBHDlqoL   Object is locked   skipped
C:\WINDOWS\Temp\mcmsc_GCRQxi7BQTcuUPs   Object is locked   skipped
C:\WINDOWS\Temp\mcmsc_l12c3ZErEdfLMJN   Object is locked   skipped
C:\WINDOWS\Temp\mcmsc_QpJZcle0YcOV1cQ   Object is locked   skipped
C:\WINDOWS\WIADEBUG.LOG   Object is locked   skipped
C:\WINDOWS\WIASERVC.LOG   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped

Scan process completed.

[rosedaniels]

And the Host report from HJT, the first lines are 'examplelines in dutch':

# Copyright © 1993-1999 Microsoft Corp.
#
# Dit is een voorbeeld HOSTS-bestand dat wordt gebruikt door Microsoft TCP/IP for Windows.
#
# Dit bestand bevat de toewijzingen van IP-adressen naar hostnamen. Elke vermelding
# moet op een afzonderlijke regel staan. Het IP-adres dient in de eerste kolom te worden
# geplaatst, gevolgd door de bijbehorende hostnaam. Het IP-adres en de hostnaam dienen
# gescheiden te zijn door ten minste één spatie.
#
# Daarnaast kunnen opmerkingen (zoals deze) worden toegevoegd op extra
# regels of gevolgd door de computernaam, voorafgegaan door een #.
#
# Bijvoorbeeld:
#
#      102.54.94.97     rhino.acme.com          # bronserver
#       38.25.63.10     x.acme.com              # x clienthost

127.0.0.1       localhost

[rosedaniels]

OK,
in your absence I hope to have solved my problem  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

I removed the files listed as 'infected" in the last Kwaspersky report and then I de-installed livemessenger. Computer restarted. None of the files appeared again
I run another scan with McAfee and nothing found. Again computer restart
Then dowloaded LiveMessenger and installed it. Started it up and nothing strage happes. (before, when infected, I could not log in as the startupscreen seemed to be 'taken over').

So as far as I am concerned the problem seems to have disappeared.

If you have reason to 'correct me' having read the last kaspersky log and hostfile-report, please do so!!!

best regards and many thanks so far.

rosedaniels

[guestolo]

Very sorry for the delay Rose
Yes, I noticed these in your kaspersky's log

C:\Documents and Settings\Arjan\Bureaublad\mon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe Infected <- may have been able to disinfect with another scanner, but your steps worked, good work

C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix\Reboot.exe Infected <-false alarm, but you can delete the Whole Smitfraudfix folder

C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir <- this one was in a backup folder from Combofix
You can delete the whole QooBox folder

I hope things are still running good

[rosedaniels]

[quote name=\'guestolo\' post=\'346067\' date=\'Jun 26 2007, 09:37 PM\']Very sorry for the delay Rose
Yes, I noticed these in your kaspersky's log

C:\Documents and Settings\Arjan\Bureaublad\mon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe Infected <- may have been able to disinfect with another scanner, but your steps worked, good work

C:\Documents and Settings\Arjan\Bureaublad\SmitfraudFix\Reboot.exe Infected <-false alarm, but you can delete the Whole Smitfraudfix folder

C:\QooBox\Quarantine\C\DOCUME~1\Arjan\mon.exe.vir <- this one was in a backup folder from Combofix
You can delete the whole QooBox folder

I hope things are still running good[/quote]


And sorry for not replying;

So just te let you know:
things are still running very good.

tnxs for the help again

[guestolo]

I'll lock this topic as things are running good and this topic is very outdated