|
Help with Vundo Trojan
|
|
|
ant2008
Newbie
|
29. December 2008 @ 01:13 |
Link to this message
|
Hello,
I have been using internet explorer for a while. Recently, i believe that someone hijacked my browser. Malybytes Anti-malware detected 42 trojans which were all detected as trojan.vundo. Two of them are in the registry. They are MS Juan and MS Track System. I have tracked down that they are created whenever internet explorer is started. I am now using firefox but would still like to know why this is.
Thanks
|
|
Advertisement
|
|
|
|
AfterDawn Addict
|
29. December 2008 @ 11:18 |
Link to this message
|
Hi ant2008,
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.
Quote:
"%userprofile%\desktop\combofix.exe" /killall
3. Combo will begin to run DO NOTHING while this is happening.
? It will kill a few processes and disconnect you from the internet.
? If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
? This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
If when it's completed you can not get on the internet just reboot the computer
Post the log from comboFix for me located in
c:\comboFix.txt
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
ant2008
Newbie
|
29. December 2008 @ 22:06 |
Link to this message
|
Thank you for the quick respnse. I ran combofix and here is my log.
ComboFix 08-12-29.01 - Jennifer 2008-12-29 18:33:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.537 [GMT -8:00]
Running from: c:\documents and settings\Jennifer\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jennifer\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\geBtSIbX.dll
c:\windows\system32\uhmgoi.dll
c:\windows\system32\wmldpkad.dll
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.
2008-12-23 19:34 . 2008-12-23 19:34 <DIR> d-------- c:\documents and settings\Steve\Application Data\Malwarebytes
2008-12-23 12:46 . 2008-12-23 18:48 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-23 12:46 . 2008-12-24 13:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-22 15:51 . 2008-12-22 15:51 <DIR> d-------- c:\documents and settings\Jennifer\Application Data\Malwarebytes
2008-12-22 15:51 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-22 15:51 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-22 15:50 . 2008-12-22 15:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-22 15:50 . 2008-12-22 15:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 17:28 . 2008-12-20 18:38 <DIR> d-------- c:\documents and settings\Steve\Application Data\FileZilla
2008-12-13 16:09 . 2008-12-13 16:13 <DIR> d-------- c:\documents and settings\Jennifer\Application Data\FileZilla
2008-12-09 18:19 . 2008-12-09 18:19 <DIR> d-------- c:\program files\PHP
2008-12-09 18:07 . 2008-12-09 20:46 <DIR> d-------- C:\www
2008-12-09 18:05 . 2008-12-09 20:53 <DIR> d-------- c:\documents and settings\Thomas\Application Data\FileZilla
2008-12-09 17:18 . 2008-12-09 17:18 <DIR> d-------- c:\program files\FileZilla FTP Client
2008-12-05 18:28 . 2008-12-05 18:35 <DIR> d-------- c:\program files\AutoCAD 2009
2008-12-05 18:28 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\SYSTEM32\d3dx9_35.dll
2008-12-05 17:49 . 2008-12-05 17:49 <DIR> d-------- C:\install
2008-12-05 14:41 . 2008-12-05 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2008-12-05 14:39 . 2008-12-05 14:47 <DIR> d-------- c:\program files\Autodesk
2008-12-05 14:39 . 2007-05-16 16:45 3,497,832 --a------ c:\windows\SYSTEM32\d3dx9_34.dll
2008-12-05 14:39 . 2007-05-16 16:45 1,124,720 --a------ c:\windows\SYSTEM32\D3DCompiler_34.dll
2008-12-05 14:39 . 2007-05-16 16:45 443,752 --a------ c:\windows\SYSTEM32\d3dx10_34.dll
2008-12-05 14:30 . 2008-12-05 14:30 <DIR> d-------- C:\Autodesk
2008-11-15 08:12 . 2008-11-15 08:12 <DIR> d-------- c:\program files\PSP ISO Compressor
2008-11-12 16:10 . 2008-10-24 03:21 455,296 --------- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-11-12 16:09 . 2008-09-04 09:15 1,106,944 --------- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll
2008-11-05 17:45 . 2008-11-05 17:45 <DIR> d-------- c:\program files\MyPublisher
2008-11-05 17:45 . 2008-11-05 17:45 <DIR> d-------- c:\documents and settings\Jennifer\Application Data\MyPublisher
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 22:21 --------- d-----w c:\program files\McAfee
2008-12-16 22:44 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-14 06:30 --------- d-----w c:\documents and settings\Jennifer\Application Data\uTorrent
2008-12-13 04:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-06 23:08 --------- d-----w c:\documents and settings\Steve\Application Data\Autodesk
2008-12-06 19:13 --------- d-----w c:\program files\AutoCAD
2008-12-06 02:33 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-12-06 02:28 --------- d-----w c:\documents and settings\Jennifer\Application Data\Autodesk
2008-12-05 04:58 --------- d-----w c:\documents and settings\Jennifer\Application Data\Download Manager
2008-11-21 05:31 --------- d-----w c:\documents and settings\Steve\Application Data\uTorrent
2008-11-08 02:43 --------- d-----w c:\documents and settings\Steve\Application Data\Move Networks
2008-11-07 05:26 --------- d-----w c:\documents and settings\Steve\Application Data\Ahead
2008-11-05 04:32 --------- d-----w c:\documents and settings\Jennifer\Application Data\Move Networks
2006-07-28 16:01 1,094,021 ----a-w c:\program files\dvdshrink32setup1.zip
2006-07-27 16:47 251 ----a-w c:\program files\wt3d.ini
2005-03-04 03:45 848 --sha-w c:\windows\SYSTEM32\KGyGaAvL.sys
1997-06-23 11:00 123,664 --sha-w c:\windows\SYSTEM32\Msjint35.dll
1997-06-23 20:06 24,848 --sha-w c:\windows\SYSTEM32\Msjter35.dll
1997-06-23 20:06 252,176 --sha-w c:\windows\SYSTEM32\Msrd2x35.dll
1997-06-23 20:06 287,504 --sha-w c:\windows\SYSTEM32\Msxbse35.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-02-29 1686464]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-11-11 4583424]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-25 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2007-03-07 1773568]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"dlbxmon.exe"="c:\program files\Dell Photo AIO Printer 962\dlbxmon.exe" [2005-01-18 425984]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\SYSTEM32\P17.dll]
c:\documents and settings\Anthony\Start Menu\Programs\Startup\
V CAST Music Monitor.lnk - c:\program files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe [2005-11-30 327680]
c:\documents and settings\Steve\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\documents and settings\Thomas\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\documents and settings\Jennifer\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=uhmgoi.dll
[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\Steve\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2007-02-28 23:06 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dlbxcoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-09-30 206096]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;"c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe" [2008-03-10 65536]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11ddf216-3bc6-11dc-b1dd-001a70ad2580}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e7895c-0d66-11dc-b19c-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2008-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2008-12-30 c:\windows\Tasks\ljxkpcou.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
2008-12-27 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D4XK9W61-Jennifer).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
2007-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
2008-12-30 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.amaena.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.antispyexpert.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.imageservr.com
Trusted Zone: *.imagesrvr.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.spyguardpro.com
Trusted Zone: *.storageguardsoft.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusremover2008.com
Trusted Zone: *.virusschlacht.com
c:\windows\Downloaded Program Files\CONFLICT.1\Manager.exe - c:\windows\Downloaded Program Files\CONFLICT.1\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
c:\windows\Downloaded Program Files\CONFLICT.1\DownloadManagerV2.inf
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 18:44:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\EHOME\ehrecvr.exe
c:\windows\EHOME\ehSched.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\EHOME\mcrdsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\SYSTEM32\dllhost.exe
c:\windows\EHOME\ehmsas.exe
c:\windows\SYSTEM32\dlbxcoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-12-29 18:59:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-30 02:59:40
Pre-Run: 169,361,158,144 bytes free
Post-Run: 170,019,434,496 bytes free
248 --- E O F --- 2008-12-19 06:01:10
Also, today when attempting to download combofix, i used internet explorer to and erased the MS Juan and MS Track System. I downloaded it and got a message saying that it could not be downloaded but the icon was still on the desktop. I went to the virusscan.jotti and about halfway through, IE7 crashed and McAfee alerted me that a trojan had been removed. Also, i noticed that on the root of my C: drive, there are three folders with random file names of letters and numbers.
Thanks
|
AfterDawn Addict
|
30. December 2008 @ 02:45 |
Link to this message
|
|
with a quick scan, I don't see anything in your Log...
Got any problems????
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
ant2008
Newbie
|
30. December 2008 @ 23:57 |
Link to this message
|
|
The user in which the initial attack came was not home today. I went under another user and everything was fine. Could this other user still have a problem? Also, after running the ComboFix, MS Juan and MS Track System have been removed from the registry and are not created when IE7 starts. McAfee is always disabled on logon and fixed immediately once I can start it.
Thanks
|
AfterDawn Addict
|
31. December 2008 @ 00:14 |
Link to this message
|
Quote:
McAfee is always disabled on logon and fixed immediately once I can start it.
Sorry, I don?t understand???
Everything looks good and you shouldn?t have any problems. Let me know if you do.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
ant2008
Newbie
|
4. January 2009 @ 01:22 |
Link to this message
|
|
OMG. Thank you so much. My computer is running perfectly.
Thanks for your help.
|
AfterDawn Addict
|
4. January 2009 @ 08:51 |
Link to this message
|
|
You're welcome
Have a Happy!
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
chotze
Newbie
|
4. January 2009 @ 20:08 |
Link to this message
|
dear afterdawn members,
i have a vundo trojan problem also in which the NOD32 cannot detect... waahhh.. what can i do about this?????
here's my hijackthis log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:06 AM, on 1/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\vsnp325.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozillafirefox.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defa...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozillafirefox.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defa...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp325] C:\WINDOWS\tsnp325.exe
O4 - HKLM\..\Run: [snp325] C:\WINDOWS\vsnp325.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 6008 bytes
thanks alot for the help.. please help me...
|
AfterDawn Addict
|
5. January 2009 @ 01:26 |
Link to this message
|
Hi chotze,
What makes you think you have a Vundo Trojan Problem???
What are the symptoms?
I see where you ran ComboFix on another Old Thread and it came up Clean?..
Your HJT Log shows no signs or traces of Vundo. As a mater of fact it shows nothing, also clean.
Let?s check one more option:
Download Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
? Please post the MBAM Log in your next reply.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
chotze
Newbie
|
6. January 2009 @ 05:44 |
Link to this message
|
hi again ^^,
i've scanned it using malwarebytes as u said... and here's the result. i've found so many viruses and i take u're advice in removing.. After i removed it i'd like to ask a question "is there any effect in deleting the viruses???? and it can effect the running system of my computer???". thank you so much in helping me..:)
Malwarebytes' Anti-Malware 1.32
Database version: 1623
Windows 5.1.2600 Service Pack 2
1/6/2009 6:39:56 PM
mbam-log-2009-01-06 (18-39-56).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 72293
Time elapsed: 34 minute(s), 24 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
C:\WINDOWS\system\msddll.exe (Backdoor.Bot) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msddll (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VMwareService (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msddll (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msddll (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system\msddll.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
|
AfterDawn Addict
|
6. January 2009 @ 16:22 |
Link to this message
|
|
chotze,
Looks like you're Clean..
Have any problems????
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
chotze
Newbie
|
8. January 2009 @ 02:17 |
Link to this message
|
|
Hello...:)
sorry for the late reply. I'm busy in my studies.. anyway.. THANK YOU for helping me...=) Take care and GOD bless... Continue to help others...^.^
roschelle
|
|
Advertisement
|
|
|
AfterDawn Addict
|
8. January 2009 @ 02:29 |
Link to this message
|
|
You?re welcome, chotze.. Don?t neglect your studies ;)
If you ever need help, I?ll be here???.
Have a Happy!
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
