[solotekk]

Hello, this message is for Evilfantasy. I need your assistance in analyzing this log. I was asked by an associate at a corporation if it was possible to completely remove Vundo on a tech's laptop. Of course I said yes. Well, since this is a corporate laptop, i need to take all the extra security precautions. I am keeping the laptop off of the network. I was just given the ok to install Super Antispyware on it, so I will run that scan tomorrow. I installed HJT, and ran a scan. Can you take a look at the log for me? Your help is greatly appreciated.

Thanks.
Solotekk

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:10 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Temp\wza650\Step_2_SUPERAntiSpyware.exe
C:\WINDOWS\system32\MSIEXEC.exe
C:\Temp\wzc580\Step_3_jre-6u5-windows-i586-p-s.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://doc2.diebold.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://doc2.diebold.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = WINP:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DieboldProtectScrnsave] wscript.exe "C:\Program Files\Diebold Protect Screensaver\DieboldScrnsvr.vbs"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\StompSoft\PC BackUp\NbkCtrl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DieboldDiskErrorChecker] wscript.exe "c:\windows\_config\DiskErrorChecker.vbs"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [bginfo] C:\Program Files\BGINFO\bginfo.exe "C:\Program Files\BGINFO\diebold.bgi" /Timer:00 /silent
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon. exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Disk.vbs
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Firewall Client Management.lnk = ?
O4 - Global Startup: RemoteWare Updates.lnk = C:\Program Files\Remote\NODESYS\rwcupd.exe
O4 - Global Startup: WAS Update.lnk = C:\Program Files\WAS\WiseUpdt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {BDA584B9-E446-411c-AA8F-3F5B7219F563} - C:\WINDOWS\system32\ClearJCache.exe
O9 - Extra 'Tools' menuitem: Clean JCache - {BDA584B9-E446-411c-AA8F-3F5B7219F563} - C:\WINDOWS\system32\ClearJCache.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O12 - Plugin for .NPSSView: C:\Program Files\Common Files\Crystal Decisions\2.0\crystalreportviewers\Viewers\ActiveX Viewer\NPssView.dll
O15 - Trusted Zone: http://*.dbdfxz (HKLM)
O15 - Trusted Zone: *.skillport.com (HKLM)
O15 - Trusted Zone: http://*.srvs (HKLM)
O15 - Trusted Zone: http://dieboldsurvey.suth.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1133454954515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133455013656
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0025-ABCDEFABCDEF} (JInitiator 1.3.1.25) -
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) -
O16 - DPF: {DC811A54-8FE7-4653-9DB6-49CEABCE705A} (MOVEitUpDownWiz Class) - https://safetransfer.diebold.com/COM...izard5.1.0.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dieboldeducation.webex.com/c...ng/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://vpn.diebold.com/dana-cached/...erSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.diebold.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.diebold.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.diebold.com
O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - PCTEL - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Neoteris Setup Service - Neoteris - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe
O23 - Service: NsEngine - Unknown owner - C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RemoteWare Client - XcelleNet, Inc. - C:\WINDOWS\system32\rwcinit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10335 bytes

[evilfantasy]

What exactly is happening?

[evilfantasy]

I think the safest thing to do is run an online scan. Any specialized tools may identify and remove the legitimate programs that are installed.

First

Go to add/remove programs and uninstall OneStep Search Service - Onestep.exe program information

Second

There are some questionable entries in the trusted zones.

Reset Web Settings & Default Security Settings

Note for IE 7 users:

Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Note for IE 6 users:

To Reset Web Settings:

• Right click on your desktop Internet Explorer icon and select Properties.
• Click the Programs tab and then click Reset Web Settings.
• Now go back to the General tab and set your home page address to something useful like www.computer-juice.com
• Click Apply.
• Next click Delete Cookies, Click Delete Files and select Delete all offline content.
• Click OK > OK

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.computer-juice.com
Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Reset Default Security Settings:

• Right click on your desktop Internet Explorer icon and select Properties
• Then click the Security tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.
• For IE 7 users, simply click the "Reset all zones to default level" button.

Third


This scanner works with Internet Explorer only
Go to the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report



When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save



This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it.
(take notice of where you save it so you can find it later)

This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us

Post the bdscan.txt in the next post.

[solotekk]

There were error messages that popped up regarding EWP. I did a little research on EWP files and they point to malware and trojans. (vundo)

[evilfantasy]

You can run vundofix, it doesn't actually install, it runs from the desktop from the exe file.

[solotekk]

There are some questionable entries in the trusted zones.

Could you tell me which entries you think are questionable?

I am on a mission to find exactly how vundo entered this users laptop. If the user is visiting certain sites, I want to block the site or sites if at all possible.

[solotekk]

vundofix from www.atribune.org, correct?

[evilfantasy]

Actually all of them. Any entry in the trusted zone is exploitable by malware. Putting entries there is like leaving a door wide open to anything malicious.


This entry O15 - Trusted Zone: *.skillport.com (HKLM) is flagged as malicious but I can't find much information on it. It may be safe and some people don't remove them. My advice is always better safe than sorry.

Also update the Java and uninstall the old version. Old Java is another exploitable entry.

How it is getting in is down to user error. Clicking on banner ads or infected an email attachment. Or going ot a site that exploits the trusted zones.

Check out part of this article. I won't link to it because it comes from a site selling rouge antispyware , but the information is accurate.

Vundo How Vundo Spreads Unlike viruses, trojan horses such as Vundo do not replicate on your machine. This is certainly good news, but it doesn't mean they're any less malicious. The Vundo bug usually infects a machine when a user clicks on a link in a spam email or visits a website that carries the trojan under the guise of desirable software. Avoiding suspicious websites (and never downloading from them if you do visit) is one easy way to thwart the Vundo threat. Vundo also spreads through hacked websites (sites the owner doesn't know have been compromised), Internet Relay Chat (IRC) and peer-to-peer and file-sharing networks. As always, the mantra applies: Don't accept anything online from anyone you don't know — especially if they're claiming it's free.

Again, the trusted zones can be exploited by an infected site.

[evilfantasy]

Originally Posted by solotekk vundofix from www.atribune.org, correct?

http://vundofix.atribune.org/

[evilfantasy]

I should mention also that many vundo trojans can "hide" from the hijackthis.exe, therefore it won't show up in HJT logs so it should be renamed before running the scan.

• Go to C:\Program Files\Trend Micro\HijackThis.exe
• Right click on HijackThis.exe and select Rename.
• Type in sniper.exe and press Enter.
• Right-click on sniper.exe and select Send To > Desktop (create shortcut)