|
| |||||||
 |
 |
| | Thread Tools |
|
#21
25th May 2009, 11:49
| |||
| |||
| Infected by Trojon.Vundo.H. Not Able to Clean It. Hi Steve, Find the combofix log. ComboFix 09-05-25.01 - swami 05/25/2009 14:40.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.667 [GMT -4:00] Running from: c:\documents and settings\swami\Desktop\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\drivers\UACnijnqtyxjxjdlgd.sys c:\windows\system32\UACblflxvsrhpltiba.log c:\windows\system32\UACbvmwukkibyldooa.log c:\windows\system32\uacinit.dll c:\windows\system32\UACkygqsltowsbklfg.log c:\windows\system32\UACoulkmorvrtpmyof.dll c:\windows\system32\UACqiglfpmchgiboiq.dll c:\windows\system32\UACqpogioktsjumuyy.dll c:\windows\system32\UACrdqbrnkgetnhdye.dat c:\windows\system32\UACrohtvxoecjowhyk.dll c:\windows\system32\UACrtlvckunrhilppm.dll c:\windows\system32\wbem\proquota.exe ----- BITS: Possible infected sites ----- hxxp://downloadsoftwareserver.com [color=blue]%~1 was missing Restored copy from - %~2 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 ))))))))))))))))))))))))))))))) . 2009-05-25 18:42 . 2008-04-14 12:42 50176 -c--a-w c:\windows\system32\dllcache\proquota.exe 2009-05-25 18:42 . 2008-04-14 12:42 50176 ----a-w c:\windows\system32\proquota.exe 2009-05-25 14:22 . 2009-05-25 14:22 -------- d-----w C:\spoolerlogs 2009-05-25 14:05 . 2009-05-25 14:05 -------- d--h--w C:\VJVod_Cache 2009-05-24 18:46 . 2009-05-24 18:47 4212 ---ha-w c:\windows\system32\zllictbl.dat 2009-05-24 18:46 . 2009-05-24 19:07 -------- d-----w c:\windows\system32\ZoneLabs 2009-05-24 12:26 . 2009-05-24 12:41 -------- d-----w c:\windows\system32\121973 2009-05-18 23:22 . 2009-05-18 23:22 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2 2009-05-18 14:32 . 2008-10-16 18:06 268648 ----a-w c:\windows\system32\mucltui.dll 2009-05-17 22:57 . 2009-05-17 22:57 57344 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-3e26f37f-n\Decora-SSE.dll 2009-05-17 22:57 . 2009-05-17 22:57 24064 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-13e09f29-n\Decora-D3D.dll 2009-05-17 22:57 . 2009-05-17 22:57 315392 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-749b3ca1-n\jogl.dll 2009-05-17 22:57 . 2009-05-17 22:57 20480 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-749b3ca1-n\jogl_awt.dll 2009-05-17 22:57 . 2009-05-17 22:57 20480 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-78c787f9-n\gluegen-rt.dll 2009-05-17 22:57 . 2009-05-17 22:57 114688 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-749b3ca1-n\jogl_cg.dll 2009-05-17 22:57 . 2009-05-17 22:57 499712 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2721635c-n\msvcp71.dll 2009-05-17 22:57 . 2009-05-17 22:57 499712 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2721635c-n\jmc.dll 2009-05-17 22:57 . 2009-05-17 22:57 348160 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2721635c-n\msvcr71.dll 2009-05-17 22:47 . 2009-05-17 22:47 38344 ---ha-w c:\windows\system32\mlfcache.dat 2009-05-17 12:19 . 2009-05-17 12:19 5589408 ----a-w c:\documents and settings\swami\Application Data\TVU Networks\TVU AutoUpgrade\TVUPlayer2.4.5.3.exe 2009-05-15 23:48 . 2009-05-24 18:37 117760 ----a-w c:\documents and settings\swami\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL 2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-05-15 23:47 . 2009-05-24 14:12 -------- d-----w c:\program files\SUPERAntiSpyware 2009-05-15 23:47 . 2009-05-15 23:47 -------- d-----w c:\documents and settings\swami\Application Data\SUPERAntiSpyware.com 2009-05-14 16:17 . 2009-05-14 16:17 -------- d-----w c:\program files\Trend Micro 2009-05-10 19:50 . 2009-05-10 19:51 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google 2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Application Data\orotyqae 2009-05-09 02:11 . 2009-05-09 02:11 -------- d-----w c:\documents and settings\swami\Local Settings\Application Data\orotyqae 2009-05-03 21:37 . 2009-05-03 21:37 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\nagasoft 2009-05-03 03:50 . 2009-05-03 03:58 -------- d-----w c:\documents and settings\swami\Application Data\Move Networks 2009-05-03 03:50 . 2009-05-03 03:50 34062 ----a-w c:\documents and settings\swami\Application Data\Move Networks\ie_bin\Uninst.exe 2009-05-02 17:07 . 2009-05-02 17:07 -------- d-----w c:\windows\system32\nagasoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-05-25 18:39 . 2007-06-11 16:43 16 --sh--r c:\windows\MSCIOTL.SYS 2009-05-25 18:39 . 2007-06-11 16:43 16 --sh--r C:\MSCIOTL.SYS 2009-05-25 18:20 . 2008-10-20 21:46 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-05-25 18:15 . 2008-12-26 16:36 -------- d-----w c:\program files\NOS 2009-05-25 18:15 . 2008-12-26 16:36 -------- d-----w c:\documents and settings\All Users\Application Data\NOS 2009-05-25 15:03 . 2008-10-20 21:46 -------- d-----w c:\program files\Spyware Doctor 2009-05-25 14:19 . 2009-05-25 14:33 170792 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professio nal_32_1033.dat 2009-05-25 00:37 . 2008-09-21 20:17 1915520 ----a-w c:\documents and settings\swami\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe 2009-05-24 12:52 . 2007-06-11 16:43 8416 ----a-w c:\windows\system32\drivers\CDProbe.SYS 2009-05-21 12:49 . 2006-09-11 13:16 -------- d-----w c:\program files\Cisco VPN client 2009-05-17 22:57 . 2007-07-05 23:58 -------- d-----w c:\program files\Java 2009-05-17 22:56 . 2009-04-16 13:11 152576 ----a-w c:\documents and settings\swami\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-05-17 22:51 . 2007-07-14 01:14 -------- d-----w c:\program files\Google 2009-05-15 23:47 . 2006-08-30 18:49 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-05-14 14:35 . 2006-09-08 19:39 -------- d-----w c:\program files\Symantec AntiVirus 2009-05-02 17:13 . 2008-11-07 01:30 -------- d-----w c:\program files\TVAnts 2009-04-26 01:14 . 2009-01-30 06:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-26 01:14 . 2009-02-14 04:53 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-04-14 08:00 . 2009-04-15 17:44 259368 ----a-w c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2d1c14.vdb\ECMSVR32.DLL 2009-04-06 19:32 . 2009-01-30 06:06 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 19:32 . 2009-01-30 06:06 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-09 09:19 . 2008-12-19 17:30 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-28 21:06 . 2009-02-28 21:06 664 ----a-w c:\windows\system32\d3d9caps.dat 2009-02-27 02:56 . 2008-06-01 16:22 45272 ----a-w c:\documents and settings\swami\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-15 98304] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-15 118784] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR .DLL" [2005-12-07 151552] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-27 221184] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-15 77824] "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp .Exe" [2005-11-17 237568] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940] "AMSG"="c:\progra~1\THINKV~2\AMSG\amsg.exe" [2005-11-14 487424] "NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672] "TrackPointSrv"="tp4mon.exe" - c:\windows\system32\tp4mon.exe [2008-04-14 82944] "TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496] "TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "CompatibleRUPSecurity"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-06 06:45 28672 ----a-w c:\windows\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=3 (0x3) "getPlus(R) Helper"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"="1" "UpdatesDisableNotify"="1" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"= "c:\\Program Files\\TVAnts\\Tvants.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= "c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"= "c:\\Program Files\\Symantec AntiVirus\\VPC32.exe"= "c:\\Program Files\\Spyware Doctor\\pctsGui.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "7195:TCP"= 7195:TCP:@xpsp2res.dll,-22009 "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 Shockprf;Shockprf;c:\windows\system32\drivers\shoc kprf.sys [9/7/2006 4:33 PM 85760] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944] R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\Shoc kMgr.sys [9/7/2006 4:33 PM 4736] R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRI F.SYS [9/8/2006 2:23 PM 4442] R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608] R2 smefs;SMEFileSystem;c:\windows\system32\drivers\sm efs.sys [6/11/2007 12:41 PM 20508] R3 smedrv;SMEDriver;c:\windows\system32\drivers\smedr v.sys [6/11/2007 12:41 PM 9516] S2 smihlp;SMI helper driver;\??\c:\program files\ThinkVantage Fingerprint Software\smihlp.sys --> c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [?] S3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProb e.SYS [6/11/2007 12:43 PM 8416] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/20/2008 5:46 PM 356920] S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 4:21 PM 58624] S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 3:42 PM 73600] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrv10910 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] vvdsvc REG_MULTI_SZ vvdsvc . Contents of the 'Scheduled Tasks' folder 2009-05-25 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-08 08:12] . - - - - ORPHANS REMOVED - - - - SafeBoot-procexp90.Sys . ------- Supplementary Scan ------- . uStart Page = about:blank uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = http=localhost:7171 FF - ProfilePath - c:\documents and settings\swami\Application Data\Mozilla\Firefox\Profiles\xc0kh7hp.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll . ************************************************** ************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-25 14:42 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\c cEvtMgr] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc] "ImagePath"="-" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S YMTDI] "ImagePath"="-" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" @="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1012) c:\_integra\bin\smegina.dll c:\_integra\bin\report.dll c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-05-25 14:44 ComboFix-quarantined-files.txt 2009-05-25 18:44 ComboFix2.txt 2009-05-22 01:49 ComboFix3.txt 2009-05-20 00:22 ComboFix4.txt 2009-05-18 16:54 ComboFix5.txt 2009-05-25 18:31 Pre-Run: 36,288,339,968 bytes free Post-Run: 36,346,765,312 bytes free 242 --- E O F --- 2009-05-18 23:26 Thanks, Swami. |
|
| |
| Bookmarks |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Friends Pc Infected - Vundo/Variant-RONads - Vundo/Variant-0216 and-309k | redden137 | Virus, Spyware & Security | 3 | 28th Apr 2009 15:18 |
| Virus/Worm/Trojon Killing Computer! | MichaelCrichton12 | Virus, Spyware & Security | 16 | 29th Oct 2008 13:42 |
| Trojon thought to be removed but..... | rbscooby | Virus, Spyware & Security | 20 | 22nd Apr 2008 17:09 |
| Ill clean this from now on as well | redden137 | General Hardware Chat | 8 | 14th Feb 2008 03:32 |
| Hopefully all clean.. | proyal03 | Virus, Spyware & Security | 71 | 12th Feb 2008 13:11 |
| Thread Tools | |
| |
