Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde - Vundo Problem


  • This topic is locked This topic is locked
6 replies to this topic

#1 zails

zails

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 16 January 2008 - 08:45 AM

Hi guys,
I have been having trouble with vundo. I have used VundoFix.exe and the http://www.atribune.org website and the fixVundo.exe tool that symantech provides.
After every removal I relog in normal mode and it appears again.
THis is the log file from hijack this (I have renamed hijackthis.exe to Hi.exe):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:46 μμ, on 16/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\AVTC\PavSrv51.exe
C:\Program Files\Panda Software\AVTC\AVENGINE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\Program Files\Panda Software\AVTC\PsCtrlS.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\pagentwd.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\AVTC\PSKMsSvc.exe
C:\Program Files\Panda Software\AVTC\PsImSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Panda Software\AVTC\SrvLoad.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\AVTC\WebProxy.exe
C:\Program Files\PrevxCSI\prevxcsi .exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\MySQL\MySQL Tools for 5.0\MySQLSystemTrayMonitor.exe
C:\Program Files\ProcessGuard\pgaccount .exe
C:\Program Files\ProcessGuard\procguard .exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007 .exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Opera\Opera.exe
C:\HijackThis\Hi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mps/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqo.exe
O2 - BHO: (no name) - {67A3140A-4786-4568-92BA-9A1BAEA86686} - C:\WINDOWS\system32\awtqo.dll
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi .exe" -boot
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: MySQL System Tray Monitor.lnk = C:\Program Files\MySQL\MySQL Tools for 5.0\MySQLSystemTrayMonitor.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Total Commander.lnk = C:\totalcmd\TOTALCMD.EXE
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2008\spy.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = velti.net
O17 - HKLM\Software\..\Telephony: DomainName = velti.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = velti.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = velti.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\AVTC\PsCtrlS.exe
O23 - Service: Panda AdminSecure Communications Agent (PAVAGENTE) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Pav_Agent\Pagent.exe
O23 - Service: Panda AdminSecure Scheduler (PavAtScheduler) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\Scheduler\pavsched.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Software - C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda Antivirus Service (PavSrv) - Panda Software International - C:\Program Files\Panda Software\AVTC\PavSrv51.exe
O23 - Service: Panda AntiSpam Engine (PMShellSrv) - Panda Software International - C:\Program Files\Panda Software\AVTC\PSKMsSvc.exe
O23 - Service: Panda IManager Service (PsImSvc) - Panda Software International - C:\Program Files\Panda Software\AVTC\PsImSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\xampp\service.exe

--
End of file - 8578 bytes

BC AdBot (Login to Remove)

 


#2 zails

zails
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 16 January 2008 - 12:05 PM

Hi again.
I saw in other posts that had the same problem that a combofix log was required as well so I unplugged the lan cable and run combofix.
this is the log:

combofix.txt
ComboFix 08-01-16.4 - zpontikas 2008-01-16 18:44:48.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1033.18.746 [GMT 2:00]
Running from: C:\Documents and Settings\zpontikas\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-16 18:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 17:28 . 2008-01-16 17:28 <DIR> d-------- C:\Deckard
2008-01-16 16:58 . 2008-01-16 16:58 131 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-01-16 16:19 . 2008-01-16 16:13 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-16 16:12 . 2008-01-16 16:22 <DIR> d-------- C:\Documents and Settings\zpontikas\.housecall6.6
2008-01-16 16:05 . 2008-01-16 16:05 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-01-16 14:04 . 2008-01-16 18:42 80,220 --a------ C:\WINDOWS\system32\pghash.dat
2008-01-16 14:03 . 2008-01-16 18:41 139,392 --a------ C:\WINDOWS\system32\pguard.dat
2008-01-16 12:52 . 2008-01-16 18:20 <DIR> d-------- C:\Program Files\ProcessGuard
2008-01-16 12:52 . 2004-10-13 17:06 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2008-01-16 12:52 . 2005-01-20 14:13 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2008-01-16 12:34 . 2008-01-16 13:53 <DIR> d-------- C:\Program Files\Trisnap Technologies
2008-01-16 12:34 . 2006-04-13 22:05 159,744 --a------ C:\WINDOWS\system32\hasher.dll
2008-01-16 12:01 . 2008-01-16 12:04 <DIR> d-------- C:\temp
2008-01-15 20:22 . 2008-01-15 20:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-15 20:22 . 2008-01-15 20:22 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-15 20:22 . 2008-01-15 20:22 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-15 20:22 . 2008-01-15 20:22 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-15 19:27 . 2008-01-15 19:27 23 --a------ C:\WINDOWS\system32\c6_r.ocx
2008-01-15 19:26 . 2008-01-15 19:26 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2008-01-15 18:47 . 2008-01-16 18:19 <DIR> d-------- C:\Program Files\PrevxCSI
2008-01-15 18:33 . 2008-01-16 15:22 <DIR> d-------- C:\Documents and Settings\zpontikas\Application Data\PrevxCSI
2008-01-15 18:33 . 2008-01-15 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-15 17:39 . 2008-01-15 17:39 <DIR> d-------- C:\Documents and Settings\zisisp\Application Data\IDMComp
2008-01-15 17:32 . 2008-01-16 12:19 <DIR> d-------- C:\to delete
2008-01-15 16:27 . 2008-01-15 16:27 <DIR> d-------- C:\Program Files\Launchy
2008-01-15 16:27 . 2008-01-15 16:28 <DIR> d-------- C:\Documents and Settings\zpontikas\Application Data\Launchy
2008-01-15 16:16 . 2007-07-10 15:38 4,608 --a------ C:\starttc.exe
2008-01-15 15:42 . 2008-01-15 15:44 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-15 13:19 . 2008-01-16 17:02 <DIR> d-------- C:\VundoFix Backups
2008-01-15 12:57 . 2008-01-15 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-15 12:10 . 2008-01-16 16:44 143 --a------ C:\WINDOWS\wininit.ini
2008-01-15 11:55 . 2008-01-15 11:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-15 11:47 . 2008-01-15 11:47 <DIR> d-------- C:\Program Files\Acesoft
2008-01-15 11:35 . 2008-01-15 11:36 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-15 11:32 . 2008-01-15 13:14 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-15 11:08 . 2008-01-16 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-15 03:03 . 2008-01-15 03:03 <DIR> d-------- C:\WINDOWS\SQLTools9_KB932557_ENU
2008-01-15 03:01 . 2008-01-15 03:01 <DIR> d-------- C:\WINDOWS\RS9_KB932557_ENU
2008-01-14 19:10 . 2008-01-16 18:08 <DIR> d-------- C:\HijackThis
2008-01-14 12:50 . 2008-01-14 12:51 <DIR> d-------- C:\Documents and Settings\zpontikas\Application Data\TrueCrypt
2008-01-14 12:47 . 2008-01-14 12:47 <DIR> d-------- C:\Program Files\TrueCrypt
2008-01-14 12:47 . 2007-12-11 00:00 188,672 --a------ C:\WINDOWS\system32\drivers\truecrypt.sys
2008-01-14 11:51 . 2008-01-14 11:52 <DIR> d-------- C:\Documents and Settings\zpontikas\Application Data\IBM
2008-01-14 10:41 . 2008-01-15 12:45 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2008-01-14 10:41 . 2008-01-15 12:45 114,688 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-14 10:40 . 2008-01-15 12:45 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-14 10:40 . 2008-01-15 12:45 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-11 19:05 . 2008-01-11 19:05 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-11 18:13 . 2008-01-14 18:54 <DIR> d-------- C:\Program Files\IBM
2008-01-11 17:52 . 2008-01-14 15:32 <DIR> d-------- C:\mq-series
2008-01-11 16:17 . 2008-01-11 17:51 <DIR> d-------- C:\DownloadDirector
2008-01-10 13:17 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-10 13:17 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-01-10 13:17 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-10 12:48 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-10 12:46 . 2008-01-10 12:46 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-08 16:06 . 2008-01-08 16:06 <DIR> d-------- C:\Program Files\Ipswitch
2008-01-08 16:06 . 2008-01-08 16:06 <DIR> d-------- C:\Documents and Settings\zpontikas\Application Data\Ipswitch
2008-01-08 16:06 . 2008-01-08 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ipswitch
2008-01-08 16:06 . 2007-01-31 02:01 606,293 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-01-08 16:06 . 2007-01-31 02:01 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-01-08 14:45 . 2008-01-08 14:45 53 --a------ C:\WINDOWS\Frigate3.ini
2008-01-08 14:38 . 2008-01-08 17:27 <DIR> d-------- C:\Program Files\Frigate3
2008-01-08 14:38 . 2008-01-08 14:45 <DIR> d-------- C:\Documents and Settings\zpontikas\Application Data\Frigate3
2008-01-03 19:08 . 2008-01-03 19:08 <DIR> d-------- C:\Program Files\Common Files\Altova
2008-01-03 19:08 . 2008-01-03 19:08 <DIR> d-------- C:\Program Files\Altova
2008-01-03 19:07 . 2008-01-03 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Altova
2008-01-02 15:03 . 2008-01-02 15:03 <DIR> d-------- C:\apache-tomcat-6.0.14-clean
2007-12-18 16:34 . 2007-12-18 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-12-18 11:57 . 2007-12-18 11:57 <DIR> d-------- C:\Documents and Settings\zpontikas\.IntelliJIdea70
2007-12-17 12:00 . 2007-12-17 12:00 99 --a------ C:\WINDOWS\surgemail_uninstall.err

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 16:19 --------- d-----w C:\Program Files\Windows Defender
2008-01-16 16:19 --------- d-----w C:\Program Files\MSN Messenger
2008-01-16 13:44 --------- d-----w C:\Documents and Settings\zpontikas\Application Data\MySQL
2008-01-16 11:50 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-16 11:32 --------- d-----w C:\Program Files\ue_toolbar
2008-01-16 11:32 --------- d-----w C:\Program Files\Google
2008-01-15 10:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-15 10:56 --------- d-----w C:\Documents and Settings\admin\Application Data\Lavasoft
2008-01-15 08:46 --------- d-----w C:\Documents and Settings\zpontikas\Application Data\ue_toolbar
2008-01-15 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-15 01:03 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-01-10 10:46 --------- d-----w C:\Program Files\MSBuild
2008-01-10 10:40 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-01-08 14:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-21 08:33 --------- d-----w C:\Program Files\Opera
2007-12-18 09:46 --------- d-----w C:\Program Files\Bonjour
2007-12-18 09:45 --------- d-----w C:\Program Files\TortoiseCVS
2007-12-18 09:45 --------- d-----w C:\Program Files\PowerISO
2007-12-18 09:37 --------- d-----w C:\Program Files\JetBrains
2007-12-17 10:24 --------- d-----w C:\Program Files\AceCapture
2007-12-17 08:41 --------- d-----w C:\Program Files\Notepad++
2007-12-17 08:21 --------- d-----w C:\Program Files\CoffeeCup Software
2007-12-13 15:38 --------- d-----w C:\Program Files\PageBreeze
2007-12-04 13:50 86,016 ----a-w C:\WINDOWS\system32\LinkDropHandler.dll
2007-12-04 13:43 491,520 ----a-r C:\WINDOWS\system32\XmlSpyLib.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 15:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.
<pre>
----a-w		 1,343,336 2008-01-15 12:03:17  C:\Program Files\Acesoft\Tracks Eraser Pro\te .exe
----a-w			15,360 2008-01-15 11:14:50  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2008-01-15 10:45:11  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-15 10:45:13  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-01-15 10:45:09  C:\WINDOWS\system32\igfxtray .exe
----a-w		   155,648 2008-01-15 10:45:14  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2006-05-15 23:08 1073152 --a------ C:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2006-05-15 23:08 1073152 --a------ C:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2006-05-15 23:08 1073152 --a------ C:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2006-05-15 23:08 1073152 --a------ C:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2006-05-15 23:08 1073152 --a------ C:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2006-05-15 23:08 1073152 --a------ C:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2006-05-15 23:08 1073152 --a------ C:\Program Files\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!1_ProcessGuard_Startup"="C:\Program Files\ProcessGuard\procguard.exe" [2008-01-16 15:02 280064]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3691"="command /c del C:\WINDOWS\system32\awtqo.dll" [ ]
"SpybotDeletingD8584"="cmd /c del C:\WINDOWS\system32\awtqo.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi .exe" [ ]
"!1_pgaccount"="C:\Program Files\ProcessGuard\pgaccount.exe" [2008-01-16 15:02 184320]

C:\Documents and Settings\zpontikas\Start Menu\Programs\Startup\
MySQL System Tray Monitor.lnk - C:\Program Files\MySQL\MySQL Tools for 5.0\MySQLSystemTrayMonitor.exe [2007-05-08 19:43:38]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
Total Commander.lnk - C:\totalcmd\TOTALCMD.EXE [2007-05-14 10:08:30]
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-12 00:34:48]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2008-01-15 16:27:35]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-05-14 11:10:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 10:21]
S1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 10:21]
S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-10-17 14:03]
S2 DCSPGSRV;DiamondCS Process Guard Service v3.000;"C:\Program Files\ProcessGuard\dcsuserprot.exe" [2005-01-20 14:25]
S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-10-15 13:16]
S2 procguard;procguard;C:\WINDOWS\system32\drivers\procguard.sys [2005-01-20 14:13]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);"c:\Program Files\Microsoft SQL Server\MSSQL.1\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2007-03-03 23:09]
S2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 10:21]
S2 XAMPP;XAMPP Service;C:\xampp\service.exe [2006-10-23 15:24]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 12:55]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 12:25]
S3 SMTPSVC;smtpsvc;C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 14:00]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2005-09-23 06:01]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5084F01D-458E-45EB-A6FD-692D4C9D2789}]
C:\WINDOWS\system32\msiexec.exe /qn /fpu {5084F01D-458E-45EB-A6FD-692D4C9D2789}
.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 16:46:27 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 18:50:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 18:51:11
ComboFix-quarantined-files.txt 2008-01-16 16:51:09
ComboFix2.txt 2008-01-16 16:39:33
.
2008-01-16 08:34:33 --- E O F ---

#3 zails

zails
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 16 January 2008 - 12:44 PM

Hi again.
I have also found out that it creates duplicated of the files that are run as a service/process with similar file sizes and it puts and a space just before the "." so for example I had ad-watch207.exe and ad-watch2007 .exe running in the task panel. You can delete these files by just searching for files not older than the date you were infected.
Even so the problem still persists...
I looks like I need to run a registry cleaner after vundofix is run to remove its refferences. The personal firewall I installed really helped a lot on identifying this problem (Sunbelt personal firewall btw)
Any info on that would be much appreciated

#4 zails

zails
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 17 January 2008 - 08:40 AM

bump
I would also like to thank you in advance for taking the time and looking into my problem.

Edited by zails, 17 January 2008 - 09:23 AM.


#5 zails

zails
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 17 January 2008 - 12:38 PM

I have run combofix.exe one more time and I think the system is clean now.
I have uploaded the hijack this and combofix logs.
After combofix finished and restared the pc (in safe mode) I run cleaup!.exe to clean all temp files and restared the pc again.
Thank you in advance for looking at my log. I really appreciate the time you spend in helping me.

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 PM

Posted 31 January 2008 - 07:09 PM

Hello zails,

Welcome to Bleeping Computer :thumbsup:

Sorry about the delay.:blink: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:53 PM

Posted 12 February 2008 - 08:21 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users